ML21236A165
| ML21236A165 | |
| Person / Time | |
|---|---|
| Issue date: | 07/22/2021 |
| From: | Advisory Committee on Reactor Safeguards |
| To: | |
| Antonescu, C, ACRS | |
| References | |
| NRC-1598 | |
| Download: ML21236A165 (142) | |
Text
Official Transcript of Proceedings NUCLEAR REGULATORY COMMISSION
Title:
Advisory Committee on Reactor Safeguards Digital Instrumentation and Control Systems Docket Number:
(n/a)
Location:
teleconference Date:
Thursday, July 22, 2021 Work Order No.:
NRC-1598 Pages 1-119 NEAL R. GROSS AND CO., INC.
Court Reporters and Transcribers 1323 Rhode Island Avenue, N.W.
Washington, D.C. 20005 (202) 234-4433
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 1
1 2
3 DISCLAIMER 4
5 6
UNITED STATES NUCLEAR REGULATORY COMMISSIONS 7
ADVISORY COMMITTEE ON REACTOR SAFEGUARDS 8
9 10 The contents of this transcript of the 11 proceeding of the United States Nuclear Regulatory 12 Commission Advisory Committee on Reactor Safeguards, 13 as reported herein, is a record of the discussions 14 recorded at the meeting.
15 16 This transcript has not been reviewed, 17 corrected, and edited, and it may contain 18 inaccuracies.
19 20 21 22 23
1 UNITED STATES OF AMERICA 1
NUCLEAR REGULATORY COMMISSION 2
+ + + + +
3 ADVISORY COMMITTEE ON REACTOR SAFEGUARDS 4
(ACRS) 5
+ + + + +
6 DIGITAL INSTRUMENTATION AND CONTROL SYSTEMS 7
SUBCOMMITTEE 8
+ + + + +
9 THURSDAY, JULY 22, 2021 10
+ + + + +
11 The Subcommittee met via Video 12 Teleconference, at 2:00 p.m. EDT, Charles H. Brown, 13 Chairman, presiding.
14 COMMITTEE MEMBERS:
15 CHARLES H. BROWN, Chair 16 RON BALLINGER, Member 17 DENNIS BLEY, Member 18 VICKI BIER, Member 19 GREG HALNON, Member 20 WALTER KIRCHNER, Member 21 JOSE MARCH-LEUBA, Member 22 DAVE PETTI, Member 23 JOY REMPE, Member 24 MATT SUNSERI, Member 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
2 ACRS CONSULTANT:
1 MYRON HECHT 2
3 DESIGNATED FEDERAL OFFICIAL:
6 ALSO PRESENT:
7 SCOTT MOORE, ACRS Executive Director 8
TOM DASHIELL, ACRS 10 MARIO FERNANDEZ, NSIR 11 JURIS JAUNTIRANS, NSIR 12 ERIC LEE, NSIR 13 MICHELE SAMPSON, NSIR 14 DAN WARNER, NSIR 15 BRIAN YIP, NSIR 16 17 18 19 20 21 22 23 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
3 C-O-N-T-E-N-T-S 1
Opening Remarks 4
2 Introductory Remarks 7
3 Cyber Inspection Update and Current Operating 4
Experience 8
5 Status of Full Implementation Inspections 6
Operating Experience (lessons learned) 7 Cyber Program 2019 Assessment 8
2019 Cyber Assessment Results & Follow Up 9
Actions 10 Post Full Implementation Inspection Program 11 Status of Other Program Elements 69 12 Cyber Security Petition for Rulemaking 13 Status (PRM-73-18) 14 Regulatory Guide 5.71 15 Wireless Technology 16 Cyber Roadmap Update 17 Public Comments 111 18 Closing Remarks 119 19 20 21 22 23 24 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
4 P R O C E E D I N G S 1
2:01 p.m.
2 CHAIR BROWN: Okay. Good afternoon, 3
everyone. Sorry for the slight delay. I was counting 4
noses. The meeting will now come to order.
5 This is a meeting of the Digital I&C 6
Subcommittee. I am Charles Brown, Chairman of the 7
Subcommittee meeting. ACRS members in attendance are 8
Dennis Bley, Matt Sunseri, Jose March-Leuba, Joy 9
Rempe, Ron Ballinger, Dave Petti, Walter Kirchner, 10 Vicki Bier and our consultant Myron Hecht.
11 A couple may show up. I will let them 12 come as they are able to get in.
13 MEMBER HALNON: Charlie, this is Greg 14 Halnon. I'm in.
15 CHAIR BROWN: Oh, okay. Greg Halnon is 16 also now here. Christina Antonescu of the ACRS staff 17 is the designated federal official for this meeting.
18 The purpose of this meeting is for the staff to brief 19 the Subcommittee on the status of the cyber security 20 program.
21 The ACRS was established by statute and is 22 governed by the Federal Advisory Committee Act, FACA.
23 That means the Committee can only speak through its 24 published letter reports. We hold meetings to gather 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
5 information to support our deliberations.
1 Interested parties who wish to provide 2
comments can contact our office requesting time. That 3
said, we set aside 10 minutes for comments for members 4
of the public attending or listening to our meetings.
5 Written comments are also welcome.
6 The meeting agenda for today's meeting was 7
published in the NRC's public meeting notice website 8
as well as the ACRS meeting website. On the agenda 9
for this meeting and on the ACRS meeting website are 10 instructions as to how the public may participate.
11 No requests for making a statement to the 12 Subcommittee has been received from the public. Due 13 to COVID-19, we are conducting today's meeting 14 virtually. A transcript of the meeting is being kept 15 and will be made available on our website. Therefore, 16 we request that all participants in this meeting 17 should first identify themselves and speak with 18 sufficient clarity and volume so that they can be 19 readily heard.
20 All presenters must please pause from time 21 to time to allow members to ask questions. Please 22 also indicate the slide number you are on when moving 23 to the next slide.
24 We have a bridge line established for the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
6 public to listen to the meeting. The public line will 1
be kept open in a listen-only mode until the time for 2
public comment. To avoid audio interference, I 3
request all attendees to make sure that they are muted 4
while not speaking.
5 Based on our experience from previous 6
virtual meetings, I would like to remind the speakers 7
and presenters to speak slowly. We will take a short 8
break after each presentation or when it's relevant to 9
allow time for screen sharing as well as the 10 Chairman's discretion during longer presentations.
11 We do have a backup call in number should 12 Skype go down -- excuse me, should Teams go down, and 13 it has been provided to the ACRS members. If we need 14 to go to the backup number, the public line will also 15 be connected to the backup line.
16 Lastly, please do not use any virtual 17 meeting feature to conduct sidebar technical 18 discussions. Rather contact the DFO if you have any 19 technical questions so we can bring those to the 20 floor.
21 We'll now proceed with this meeting, and 22 I'll ask Jim Beardsley to share his screen with us 23 while Ms. Michele Sampson, the Deputy Director, 24 Division of Physical and Cyber security Policy, Office 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
7 of Nuclear Security and Incident Response for any 1
introductory remarks for today's meeting before we 2
begin today's presentation by Mr. Jim Beardsley, the 3
Branch Chief in the Cyber Security Branch. Michele?
4 MR. MOORE: Can the members on the public 5
line, you need to mute your phones, you need to mute 6
your phones. We're getting carryover.
7 MS.
SAMPSON:
Thank you and good 8
afternoon. I'm Michele Sampson, Deputy Director for 9
the Division of Physical and Cyber security Policy in 10 the Office of Nuclear Security and Incident Response.
11 I want to express my appreciation for the 12 opportunity to brief on the Agency's cyber security 13 program with the ACRS Digital I&C Subcommittee.
14 We last briefed the Subcommittee in March 15 of 2019. There have been several significant 16 accomplishments since that last meeting. We will 17 highlight a few, including the completion of the 18 Milestone 8 inspections, a full cyber security program 19 implementation at the operating power reactors and the 20 results of the staff's cyber security program 21 assessment.
22 We will also touch on some of the exciting 23 future work in cyber
- security, including the 24 development of a new technology-inclusive graded 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
8 approach to cyber security regulations as a part of 1
the advanced reactor rulemaking effort.
2 The cyber security staff routinely 3
interface with our federal partners and domestic and 4
international stakeholders to share operating 5
experience and best practices.
6 We are committed to maintaining an 7
efficient, robust cyber security program that can 8
adequately protect against the dynamic cyber threat 9
environment.
10 I would like to recognize the work of Jim 11 Beardsley, Chief of the Cyber Security Branch and his 12 staff, to prepare for today's briefing. And I look 13 forward to the opportunity to hear from him and 14 several members of his branch.
15 With that, I'd like to turn it over to Jim 16 to begin the presentation.
17 MR. BEARDSLEY: Thank you, Michelle. As 18 Michelle stated, I am Jim Beardsley, Chief of the 19 Cyber Security Branch in the Office of Nuclear 20 Security and Incident Response.
21 Today's brief is an update to a program 22 brief that staff provided to the Subcommittee in March 23 of 2019. Today I will be joined by the following team 24 from the Cyber Security Branch, Mario Fernandez, Dan 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
9 Warner, Eric Lee, Brian Yip and Juris Jauntirans.
1 Slide Number 2. Today's brief will 2
discuss the status of the NRC cyber security program, 3
including successful completion of our oversight 4
inspections for the industry's cyber security full 5
implementation.
6 The program found with reasonable 7
assurance that industry has implemented their programs 8
to meet the requirements of the Cyber Security Rule 9
and the Cyber Security Plans, which are license 10 conditions for each licensee.
11 The staff has learned a number of lessons 12 on the oversight program from the full implementation 13 inspections, the staff self-assessment of the 14 oversight program and an NRC Office of Inspector 15 General audit of the inspection program in 2019.
16 As a result, the staff has been working 17 with industry to further implement the graded approach 18 to cyber security to digital asset protection, to 19 further performance inform our cyber security 20 inspection program, to update cyber security guidance 21 in Regulatory Guide 5.71 and to develop a graded 22 approach to cyber security for future applicants and 23 licensees.
24 Slide Number 3.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
10 CHAIR BROWN: Jim? This is Charlie.
1 MR. BEARDSLEY: Yes.
2 CHAIR BROWN: When you talk about a graded 3
approach, I presume in your later slides you will be 4
giving us a detailed discussion of what that means?
5 MR. BEARDSLEY: I intend to, yes, yes.
6 CHAIR BROWN: Okay. Thank you. I just 7
wanted to make sure. Thank you.
8 MR. BEARDSLEY: Absolutely. In our March 9
2019 brief to the Subcommittee, the staff discussed 10 the power reactor cyber security program history.
11 Today, I will briefly review some of that 12 history and talk to in particular our future plans as 13 we move forward.
14 This slide shows the progression of the 15 program from implementation of the Cyber Security Rule 16 in 2009 through industry's cyber security program full 17 implementation, which occurred at the end of 2017.
18 As a result of lessons learned during the 19 initial implementation inspections between 2013 and 20 2015, the staff and industry have developed a series 21 of guidance documents for the cyber security program 22 implementation and NRC's inspection program.
23 Those improvements proved to be a vital 24 element in the successful completion of both the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
11 licensee implementation and the staff's inspection of 1
their implementation following the 2017 full 2
implementation date.
3 In 2010, the NRC issued Regulatory Guide 4
5.71, Cyber Security Programs for Nuclear Facilities.
5 This document provides the licensees a methodology or 6
framework that can be used to meet the requirements of 7
the Cyber Security Rule.
8 As a review, this slide shows the primary 9
principles of a cyber security program as listed in 10 the Regulatory Guide.
11 The first step would be for a licensee to 12 establish a
multidisciplinary cyber security 13 assessment team. That team would then be instrumental 14 in implementing the remainder of the program.
15 The next step would be for licensees to 16 review all of their digital assets and determine which 17 of those assets need to be protected in accordance 18 with the Cyber Security Rule and their Cyber Security 19 Plan.
20 The next step is for the licensees to 21 implement a defensive architecture. And my following 22 slide will discuss the defensive architecture in more 23 detail.
24 Finally, the licensees would apply cyber 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
12 security controls in accordance with their Cyber 1
Security Plan to each of the critical digital assets 2
that they determined needed to be protected in an 3
earlier step.
4 The final steps of full implementation are 5
for licensees to implement overwriting programs that 6
support the protection, operation and continuing 7
maintenance of their cyber security programs and a 8
number of those elements are listed at the bottom of 9
the slide.
10 MEMBER HALNON: Hey, Jim, this is Greg 11 Halnon. Do you have a feel, since Reg Guides are 12 voluntary, do you have a feel for how many licensees 13 actually implemented the program for this Reg Guide 14 5.71?
15 MR. BEARDSLEY: That's a great question.
16 When the staff published Regulatory Guide 5.71, 17 industry also developed a guidance document, NEI 08-18 09, which was very, very similar to Reg Guide 5.71.
19 Most of the operating fleet, in fact all 20 but Vogtle 3 and 4 committed to the NEI document, 21 which has a Cyber Security Plan template that is 22 virtually identical to that in Regulatory Guide 5.71 23 So only one of our licensees committed to 24 Reg Guide 5.71. But the guidance in the document is 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
13 enduring and the staff uses it as part of our 1
assessment and licensees do use it as a reference.
2 MEMBER HALNON: So it wasn't endorsed, but 3
it was found acceptable through your process?
4 MR. BEARDSLEY: The NEI guidance document 5
was found acceptable for use by the staff, correct.
6 MEMBER HALNON: Okay.
7 MR. BEARDSLEY: It was found to be an 8
acceptable method to implement a cyber security 9
program.
10 MEMBER HALNON: All right.
11 CHAIR BROWN: How did that happen?
12 MR. BEARDSLEY: How did the staff make 13 that determination?
14 CHAIR BROWN: Yes. I don't remember -- I 15 wrote the letter on 5.71 back in 2009 and '10. And I 16 don't remember this NEI document. What's the date of 17 that?
18 MR. BEARDSLEY: I don't know exactly.
19 We'll have to get back to you. But it came out right 20 about the same time as the Regulatory Guide. It may 21 have been a little earlier. It may have been a little 22 later. But we'll get you an answer to that.
23 CHAIR BROWN: The purpose of the question 24 is you say it's virtually identical. The rule is 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
14 fairly specific, you know, the 73 point whatever 54 or 1
whatever the right number is. I probably got it 2
wrong. And I just wondered how this NEI document 3
tracked. I don't remember us ever seeing it. That's 4
why I asked the question.
5 MR. BEARDSLEY: The format in the document 6
is very similar to Reg Guide 5.71. It's not exact.
7 But the template for a Cyber Security Plan follows the 8
same set of controls, the approximately 160 controls, 9
that the staff had included in Regulatory Guide 5.71.
10 The industry then used that template to 11 develop and submit to the staff for approval a Cyber 12 Security Plan. And each individual licensee had their 13 Cyber Security Plan reviewed and approved back in 14 2010.
15 CHAIR BROWN: There were some sections, if 16 you go back into the appendices for 5.71, I think it 17 was Appendix C where it talked about unidirectional 18 data diode-type connections from the Level 4 to 3 and 19 3 to anything above that, and did it mirror those 20 types of things as well?
21 MR. BEARDSLEY: It did. And I'm going to 22 talk about that on the next slide.
23 CHAIR BROWN: Okay. Thank you.
24 MR. BEARDSLEY: Sure. Any other questions 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
15 on the Reg Guide? Okay. Moving on to Slide Number 5.
1 MR. LEE: Hey, Jim?
2 MR. BEARDSLEY: Yes.
3 MR. LEE: The NEI 08-09 was dated April 4
2010.
5 MR. BEARDSLEY: Okay. And when was the 6
Reg Guide published?
7 MR. LEE: I believe that was -- similar 8
time, 2010 or so, I believe.
9 MR. BEARDSLEY: Right. Well, we'll get an 10 exact answer for the members following the meeting.
11 MEMBER BALLINGER: It was January 2010.
12 CHAIR BROWN: Yes, January, thank you.
13 MR. BEARDSLEY: Okay.
14 CHAIR BROWN: You got a hit on that.
15 MR. BEARDSLEY: So the Regulatory Guide 16 was published about three months before the staff 17 accepted NEI's document for use.
18 So talking about the -- I'm sorry.
19 MR. HECHT: This is Myron Hecht. You 20 stated -- just a clarification question. You said 21 that all but Vogtle had committed to NEI 08-09. Did 22 Vogtle commit to 5.71? Is that the difference or --
23 MR. BEARDSLEY: They did.
24 MR. HECHT: -- did they not commit to 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
16 anything? I see.
1 MR. BEARDSLEY: They committed to Reg 2
Guide 5.71, and they elected to use the template in 3
Reg Guide 5.71 for the Cyber Security Plan. So that 4
was how they -- that's how the commitment was made.
5 And the reason was at that time, NEI -- at 6
the time that Vogtle 3 and 4 submitted their Cyber 7
Security Plan as part of their combined license, the 8
NEI guidance document hadn't been completed yet. So 9
the only template that existed was the one in Reg 10 Guide 5.71.
11 MR. HECHT: Thanks.
12 MR. BEARDSLEY: So to go to the question 13 that Member Brown asked, all of the licensees have 14 implemented a topology that's similar to that shown on 15 this slide.
16 And on the slide Level 0 is the Internet 17 all the way on the right. And as you move from right 18 to left, the systems are more sensitive and are 19 receiving more protection.
20 So Level 1 would be a corporate network 21 for a licensee that's part of a larger corporation.
22 Level 2 would be a site-wide network and that's the 23 administrative network for training and administration 24 of the site.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
17 And then the licensee is committed to a 1
one-way deterministic device in their Cyber Security 2
Plan. All of our licensees elected to use a data 3
diode to meet that requirement. And that is a digital 4
device that prevents any digital information from 5
being transferred from Level 2 to Level 3. So the 6
laws of physics will not allow data to be transferred 7
over the network from Level 2 to Level 3.
8 CHAIR BROWN: So Level 3 would be the area 9
where you had, like, the reactor control systems, trip 10 systems, ESFAS, et cetera, safety systems?
11 MR. BEARDSLEY: Right.
12 CHAIR BROWN: -- up to Level 4.
13 MR. BEARDSLEY: Right. Level 3 and Level 14 4 are not consistently implemented across the various 15 licensees. So each licensee made a determination on 16 where they wanted to put their critical digital assets 17 in Level 3 and/or Level 4.
18 So I can't say that they all put a certain 19 system in Level 3 and/or Level 4. But beyond the data 20 diode boundary in Level 3 and Level 4, they have all 21 of their safety and security and many of their 22 emergency preparedness digital assets.
23 CHAIR BROWN: So I was just trying to 24 figure out when I looked at the slides what 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
18 constituted in NRC's mind the Level 4 and Level 3.
1 Cyber security is one set of words. I wasn't sure 2
what that meant inside of this barrier of the data 3
diode. And I also saw a firewall there.
4 MR. BEARDSLEY: There is a firewall. In 5
fact, some licensees implemented multiple firewalls to 6
partition different parts of Level 3 and Level 4. And 7
some of them have used additional data diodes to 8
partition various different systems.
9 So from a security point of view, that's 10 the physical security system, the computers that they 11 use to manage the physical security program and then 12 from the safety systems, that's the balance of plant 13 systems. That's the safety systems. That's any other 14 system that the licensee has determined was a critical 15 digital asset and needed to be protected.
16 CHAIR BROWN: Okay. So I was thinking 17 that when you say security that kind of -- you're 18 talking about all the -- I call them admins. But 19 they're not really admin relative to being admin-20 admin. They're not part of the business systems.
21 In other words, that's where you have all 22 the spyware, whatever you want to call it, to make 23 sure people don't intrude into the site, alarms, all 24 the systems that generate that would be back most in 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
19 the Level 4 area based on your all's -- whereas Level 1
3 -- based on your all's categorization would roughly 2
be plant systems, roughly.
3 MR. BEARDSLEY: I'm not going to disagree 4
with what you're saying, but I can't commit that every 5
licensee elected to put on those systems in one or the 6
other.
7 CHAIR BROWN: I totally understand, 8
totally. The reason I'm asking the question is 9
because in a couple of the applications we went 10 through, new design plants for the last two or three, 11 we actually ended up with -- you talk about reactor 12 trip in the ESFAS systems which feed, you know, plant 13 control stuff, like reactivity control pumps, valves, 14 whatever you have necessary for your emergency core 15 cooling, et cetera, we largely ended up with 16 unidirectional data diode-type transmissions from 17 those systems to the other ones.
18 In other words, they were within the Level 19 3 area, but they were also protected from one safety 20 system, what I would call to maybe a safety -- I don't 21 know what the difference is for the actual components 22 that do the job themselves because you never know 23 what's going to be on some of these pumps, valves 24 whether they have computer controlled controllers or 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
20 not, et cetera. So we did not want any interaction 1
backwards into those other systems.
2 So I presume this allows -- that's not a 3
firewall. That was a hard data diode. Other systems 4
could handle a firewall type approach. So I presume 5
that's flexible definition in that 4 and 3 and then 6
within the 3 routine?
7 MR. BEARDSLEY: It is. And it's really --
8 the licensee has to determine what systems should be 9
protected and the appropriate level of protection and 10 then they'll partition their networks as such.
11 CHAIR BROWN: Okay. And for the operating 12 plants, you obviously have to figure that out for the 13
-- you know, we've obviously emphasized that we needed 14 to do that as a design decision in subsequent plant 15 designs, you know, the applications we've dealt with 16 over the past few years. All right. Thank you.
17 You've answered my question. Thank you very much.
18 MR. BEARDSLEY: Okay. Anybody else have 19 any questions?
20 MEMBER MARCH-LEUBA: Yes.
21 MR. BEARDSLEY: Go ahead.
22 MEMBER MARCH-LEUBA: This is Jose March-23 Leuba. Something you just said I wanted to hop on it 24 in a previous slide, but I was having silent problems.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
21 You said the licensee is responsible for 1
defining the critical assets that they have to 2
protect, which is the Step Number 2 on this slide.
3 MR. BEARDSLEY: Correct.
4 MEMBER MARCH-LEUBA: Do you have an 5
ongoing evaluation of how this changes with time? And 6
what I'm coming to is first, we have had to protect 7
against hackers, which are in the top 0.0001 percent 8
of the smartest people in the world. And some of them 9
have state support and even money. So you have to be 10 extremely careful.
11 And in the last five years, we have seen 12 an explosion of Internet-connected devices, what we 13 call IoT devices, Internet of Things, something like 14 smart lights, smart thermostats, you know, smart TVs, 15 microwaves.
16 MR. BEARDSLEY: Right.
17 MEMBER MARCH-LEUBA: So is there an 18 ongoing re-evaluation of how I can attack my system?
19 And I'm not talking monthly, yearly or bi-yearly but 20 an ongoing one? Something changing my plant, do I 21 need to do something different?
22 MR. BEARDSLEY: So that's a great 23 question. When we inspected the licensees back 24 between 2013 and 2015, we reviewed their methodology 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
22 for determining what assets had to be protected, what 1
were critical digit assets, and also inspected their 2
change control processes.
3 During the subsequent inspection program 4
that started in 2017, we again reviewed that list and 5
the changes that they had made. So any changes to the 6
program, any changes to the list of critical digital 7
assets, is something the staff will look at it in the 8
inspection space to make sure the licensee has 9
appropriately characterized the assets and made sure 10 that they are appropriately protected.
11 MEMBER MARCH-LEUBA: You know, I'm more 12 concerned with their changing the hardware in the 13 plant. Somebody plugs in an Alexa in his office.
14 Does that get evaluated?
15 If you change your protection system and 16 you go from computer type A to computer type B for the 17 protection system, of course, they're evaluated.
18 What I'm saying is the famous example of 19 the aquarium in the casino. Is there an aquarium 20 somewhere in the plant that has changed the 21 configuration?
22 MR. BEARDSLEY: Okay. So for the most 23 part, you know, the licensee has their own corporate 24 configuration management program and controls on the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
23 Level 1 and Level 2 network. So that's the 1
administrative network that will be sitting in 2
someone's office.
3 Level 3 and Level 4 are those assets that 4
have to be protected in accordance with the Cyber 5
Security Rule. And there are very specific 6
requirements on what assets have to be protected and 7
the controls associated with those assets.
8 So the licensees not only have systems in 9
place, they have to do vulnerability assessments, and 10 they have to do assessments of their digital assets to 11 make sure they're protected, you know, on an ongoing 12 basis.
13 So they do have, you know, a regular 14 program of periodic review, as is stated on the slide, 15 to look at their systems.
16 So if someone tried to plug something into 17 an asset, the licensee is responsible to identify that 18 either through log reviews or through an automated 19 system that would monitor whether something had been 20 plugged in.
21 Also, the licensees are expected to 22 mitigate any potential things plugged into their 23 critical digit assets through configuration management 24 and blocking of ports or a number of other defensive 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
24 methodologies.
1 MEMBER BALLINGER: This is Ron Ballinger.
2 Let me know if I'm getting too security conscious 3
here. But other organizations which I will not name 4
have teams whose business is to compromise a network.
5 Do you folks have such an organization that goes 6
around and tries to compromise a network to test it?
7 MR. BEARDSLEY: At the current time, the 8
NRC Inspection Program does not include that type of 9
activity. And there's a couple reasons for that.
10 One, we would never want to try and mess 11 with an operating nuclear power plant. That would be 12 very risky, and it's been determined to be not an 13 appropriate activity.
14 The other aspect of it is with the data 15 diode, it would be very difficult for an adversary to 16 reach the protected systems. They would have to 17 bypass the data diode, either through the portal media 18 program, which has a very specific set of requirements 19 and the staff has inspected or through supply chain or 20 some other threat vector.
21 So it is not likely that a penetration 22 type test, which is what I think you're talking about, 23 would add any value to the program at this time.
24 MEMBER MARCH-LEUBA: This is Jose again.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
25 I am concerned that people will give too much credit 1
to the little diode, which is a great thing to have.
2 But these guys can figure out ways to get past it.
3 You can have a wireless network at Level 4. It's 4
called the cell phone tower. You already have a 5
wireless network inside a plant. You just need a 6
little chip to assist.
7 So if you have -- you need to have an 8
inside threat, somebody that goes physically as an 9
extra thing with a button that you can bypass. So 10 let's give the credit where the credit is due but 11 don't give it 100 percent credit. It's only 99 12 percent effective.
13 MR. BEARDSLEY: And we don't give 100 14 percent credit. The staff has focused the last four 15 years of inspection on potential methods for bypassing 16 the data diode. Now the licensees do have 17 limitations, and they have committed to not having 18 wireless systems. They scan for wireless networks 19 that are unexpected. So from a wireless point of 20 view, the licensees understand very clearly what their 21 requirements and limitations are.
22 So we have focused on those areas that can 23 be used to bypass the data diode and that it will 24 continue to be one of the focuses of the industry and 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
26 the staff's oversight inspections.
1 CHAIR CHARLIE: Thank you, Jim.
2 MEMBER KIRCHNER: This is Walt Kirchner.
3 Just following up on Jose's points, and you live this 4
so it's not my particular line of business.
5 But with the evolving threats, without 6
getting into any kind of actual threat scenario or 7
mechanism, is it safe to say that line of defense with 8
the data diode, assuming that it's more than a data 9
diode. It's all portable media, et cetera, et cetera.
10 Are you finding that more and more things have to be 11 pulled inside the Level 4 or 3 envelope?
12 Do you see where I'm going with this? In 13 other words, you actually have to move your fence out 14 further in the plant in terms of balance of plant and 15 other support systems to protect against the evolving 16 threat and the technologies that could represent a 17 threat. Is that a safe assumption?
18 Are you finding as your licensees get into 19 this and do a continual review, you're pushing more 20 and more stuff? Either you can say it one way, you're 21 putting more and more on Level 4 and 3 or you're 22 moving that boundary out or both.
23 MR. BEARDSLEY: Actually, the staff and 24 industry have found that the industry may have over 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
27 included the number of digital assets and the level of 1
digital assets that need to be protected. So we have 2
and, you know, Member Brown asked me about the graded 3
approach earlier.
4 One of the things we've looked at in the 5
graded approach is to make sure that the right assets 6
are being protected at the right level. And in some 7
- cases, we found that the licensee may have 8
overprotected some of their assets. And in doing so 9
by reducing the protection on some, it helps them 10 focus the protections they need on the most critical 11 asset.
12 So we have not seen extensions in the 13 barrier. In fact, we believe the barrier is sound and 14 is pretty well implemented right now. But let me --
15 MEMBER KIRCHNER: Okay. Thank you.
16 MR. BEARDSLEY: -- to your question, let 17 me just add one quick thing. So the staff has -- in 18 answer, we have a branch that does intelligence and 19 threat analysis. Through that branch and through our 20 interagency counterparts, the staff does monitor any 21 evolving threats and continuously is looking at the 22 potential for a threat that could bypass the systems 23 and the controls the licensees have in place. So 24 that's an ongoing effort that we have. I'm sorry. I 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
28 cut somebody off.
1 MEMBER KIRCHNER: No, thank you. I was 2
just trying to say thank you.
3 MR. BEARDSLEY: Okay.
4 CHAIR BROWN: Jim, the data diodes that 5
you all have observed or seen them install or have in 6
place, I presume those are literally hardware-based 7
data diodes. In other words, their direction, that 8
single directionality is not configured with software 9
processes?
10 MR. BEARDSLEY: It is a physical data 11 diode. It is a laser-based tool. And the laser only 12 fires from the Level 3 side down to the Level 2 side 13 or from the higher side to the lower side.
14 So you cannot physically -- the laws of 15 physics won't allow data to travel back on the 16 network.
17 CHAIR BROWN: Okay. I thought that was 18 the case, but I always worried about advertising from 19 some people that make these things so.
20 MR. BEARDSLEY: It's a pretty small 21 market. I'll tell you that.
22 CHAIR BROWN: Okay. You haven't gotten to 23 your graded stuff yet. So I'll wait. I'll save my 24 questions for that until you get there.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
29 MR. BEARDSLEY: Okay.
1 CHAIR BROWN: I have a question on that.
2 I just don't want to interrupt your thought process 3
here.
4 MR. BEARDSLEY: All right. All right.
5 We'll get there.
6 MR. HECHT: This is Myron Hecht. Can I 7
just go back to the last thing that Jim has said. You 8
said that there's a diode which allows a transmission 9
only from Level 3 to Level 2. Shouldn't it be the 10 other way?
11 MR. BEARDSLEY: No. You only want data to 12 travel from the secure level to the less secure level.
13 In other words, the licensees are doing diagnostics on 14 the systems in Level 3 and Level 4. They will pass 15 that down to the lower level so they can aggregate and 16 understand whether or not there are any issues.
17 MR. HECHT: Yes, yes, of course. Thank 18 you.
19 MR. BEARDSLEY: Okay. So this slide 20 focuses on our inspection program. The inspections 21 started out in the summer of 2017. And the staff 22 conducted a full implementation inspection at every 23 operating nuclear site in the country.
24 We completed all 58 of those inspections 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
30 in June of 2021. The inspections were a two week 1
inspection program conducted by two inspectors from 2
the appropriate region and two subject matter expect 3
contractors who supported them during the inspections.
4 We also have a team at headquarters in the 5
Cyber Security Branch that provides the inspection 6
teams technical backup on any questions that arise 7
during the inspections.
8 Although the inspections did identify a 9
number of very low safety significance findings, the 10 industry demonstrated with reasonable assurance an 11 understanding of the Cyber Security Plan requirements 12 and effective program implementation.
13 The staff observed at a high level some of 14 the following observations. The quality of critical 15 digital asset and system assessments was challenged at 16 some of the licensee sites. And the staff provided 17 feedback to the industry on that.
18 It didn't impact their ability to protect 19 the assets, but it may impact their ability to do 20 continuing analysis or change control in the future.
21 In addition, the licensees were challenged 22 conducting vulnerability assessments on their 23 programs. And the challenge there is they have a 24 large number of digital assets, and there's a 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
31 significantly large number of vulnerabilities that are 1
identified by industry and the government on an 2
ongoing basis. And the licensees did have some 3
challenges in collecting and evaluating those 4
vulnerabilities. The staff did cite some violations 5
in this area. And industry has made strides to 6
improve that process.
7 Another area that the staff found was in 8
the licensee's implement of their cyber security 9
defense in-depth, there were times when the licensees 10 had not fully implemented their defense in-depth 11 programs. The staff again cited that and the industry 12 has continued to improve those over time. Any 13 questions about the inspection program?
14 CHAIR BROWN: Jim, I have to backtrack one 15 more time on the previous slide. If you could go back 16 to that. Talking about physical security, did you --
17 you talked about being, you know, the outfit monitors, 18 making sure the overall site is safe.
19 MR. BEARDSLEY: Correct.
20 CHAIR BROWN: All the guard information, 21 all the detecting type information for intruders, all 22 that kind of stuff, that generally has an evolving 23 nature if stuff gets upgraded. I mean, people always 24 want to make it better.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
32 I note you were talking about in one of 1
your later slides, and you mentioned wireless. A lot 2
of the stuff in this physical security world is 3
wireless associated. And I guess have you all looked 4
at that relative to systems?
5 Maybe the right way to say it is those 6
responsible for physical security are not allowing any 7
wireless type connections back down in that Level 4 8
area or the security world?
9 MR. BEARDSLEY: That is correct.
10 CHAIR BROWN: Okay.
11 MR. BEARDSLEY: The licensees are not at 12 the time by their Cyber Security Plan allowed to 13 connect wireless systems to their critical digital 14 assets. They could in the future do that. But they 15 would have to do significant analysis and the staff 16 would be inspecting that to make sure that it meets 17 the appropriate requirements.
18 CHAIR BROWN: Yes. One of my concerns was 19 if you -- you don't have it now, but somebody brings 20 in a piece of new equipment. It's a real super 21 whamadyne. Everybody loves it because it's going to 22 simplify all the work. And it's got something buried 23 in it that's wireless and now all of a sudden you've 24 got a path.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
33 I don't know how you monitor that. You 1
know, I'm not a radio engineer anymore. But I guess 2
I'm always worried about new stuff coming in because 3
it seems like the world, as it operates today, as Jose 4
noted, the Internet of Things is now also in the air 5
all the time, its connectivity, so.
6 MR. BEARDSLEY: Right. Through the 7
licensee's change control program, they have to do a 8
very robust evaluation to include their cyber security 9
requirements. And we inspect those changes, both 10 through cyber security inspections and through the 11 NRC's routine change control inspections.
12 So we are looking at that. And industry 13 is aware that the implementation of wireless is 14 something that will be a challenge for them. And we 15 do have a discussion on that topic later in the 16 presentation.
17 CHAIR BROWN: Okay. Thank you.
18 MEMBER HALNON: Hey, Jim. This is Greg 19 Halnon. On the inspection program, you mentioned 20 challenges in several areas, and those are pretty much 21 downstream of the initial identification of CDAs, 22 which is real documentation intensive.
23 Did you get a
sense that the 24 overidentification of CDAs was taxing the resources 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
34 such that those challenges manifested downstream of 1
the process or were those challenges just pretty much 2
specific to the licensee issues?
3 MR. BEARDSLEY: I would say the answer is 4
both. You know, any time you're trying to manage 5
thousands of digital
- assets, that's a
pretty 6
significant effort.
7 So if through evaluation the staff and 8
industry find that we can reduce that overall effort 9
and allow them to focus on the assets that are found 10 to be of higher importance, and I'll just characterize 11 it as that, arguably, that would help them focus on 12 their program.
13 So I can't say, you know, explicitly one 14 way or the other because each licensee is different 15 and each case was different. But that was one of the 16 areas that was identified during our self-assessment 17 that I'll talk about in a moment and one of the things 18 that we've worked on over the past few years.
19 MEMBER HALNON: Okay. It seems like a 20 graded approach then would try to reduce the front end 21 piece as well so that resources could be not so tied 22 up on the initial discussion.
23 I know that piece is past this. But it's 24 still, you know, what you mentioned overidentification 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
35 of CDAs is still there. And there's still a lot of 1
ornaments that go around that to manage that.
2 So some resources, I know, is a key issue 3
throughout the industry. I would be interested down 4
the road of seeing how the graded approach might help 5
alleviate some of the resource issues that we have.
6 MR. BEARDSLEY: Sure. As I stated 7
earlier, we have learned a significant number of 8
lessons since 2012. And one of the things that we're 9
looking at in our future cyber security rulemaking is 10 making sure we've right-sized that assessment process 11 and the identification of digital assets. And we'll 12 talk some more about that in the presentation as well.
13 MEMBER HALNON: Very well. Thanks.
14 CHAIR BROWN: Jim, when you get to your 15 graded approach, that's just another word for risk-16 informed and not personal thought processes. Are you 17 going to be able to provide some information on 18 criteria that will allow you to even think about a 19 graded approach as to not -- is there some 20 partitioning that some things will never get there but 21 others are because of some circumstances or some 22 characteristics?
23 MR. BEARDSLEY: Well, you're --
24 CHAIR BROWN: If you do that later, that's 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
36 fine. I just wanted -- that's one of the questions I 1
had for later.
2 MR. BEARDSLEY: That's a great segue. So 3
what I'm going to talk about now is the self-4 assessment that the staff conducted of our cyber 5
security oversight program and every element in it, 6
from the rule through the implementation, through 7
licensee implementation and our inspection program.
8 We conducted that assessment in 2019.
9 Staff provided management with a report on the results 10 of that assessment.
The assessment included 11 significant engagement with stakeholders, multiple 12 public meetings. And on the next slide, I'm going to 13 talk about our action plan that we put together to 14 address a number of the areas that were identified 15 during the assessment.
16 Some of those areas are systems where we 17 have looked at a graded approach and the staff will 18 talk about that and talk about those particular areas 19 and how we've approached it. So hold the question for 20 a second. We're going to give you some specifics here 21 in just minute.
22 CHAIR BROWN: Okay. I don't want you to 23 take it -- I'm pretty overbearing it seems like 24 sometimes as you've probably figured out over the last 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
37 few years. I'm very concerned about this particular 1
area. So that's why -- I'm not against that.
2 My concern is we overdo the classification 3
of what stuff needs to be, you know, really wrapped up 4
tight with millions of sheets of paper and which ones 5
don't. It's just a matter -- I like to see certain 6
criteria type stuff. You throw it off to the side, 7
stuff that there's no way you can put virus software 8
in, you know, plant control systems, trips, et cetera, 9
et cetera.
10 There's other things that don't meet that 11 criteria. They're not in that category. And it just 12 seems to me to make it easy, it's nice to put things 13 in little -- different rice bowls if you want to call 14 it that, put the stuff that you don't care about and 15 so that you don't beat the licensees to death on this 16 stuff.
17 MR. BEARDSLEY: Right.
18 CHAIR BROWN: But it can be overbearing.
19 So don't think I'm just, you know, give me a data 20 diode on every piece of equipment that's in there.
21 That's not the way I think. I just really would like 22 to see how we get to the point and make sure our 23 really important systems don't even get tested. So 24 that's --
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
38 (Simultaneous speaking.)
1 CHAIR BROWN: Okay? Thanks.
2 MR. BEARDSLEY: Right. Absolutely. So 3
after we completed our interim inspections in 2015, 4
the staff and industry identified the fact that there 5
were some challenges in the area that you're talking 6
to.
7 NEI developed a
guidance
- document, 8
Document NEI 13-10, that was used by industry and the 9
staff to develop the graded approach to digital asset 10 protection.
11 So there are classes of digital assets 12 that have full protection, 160 odd controls. And 13 there are other classes of digital assets that have a 14 significantly lower number, somewhere around 15, you 15 know, a dozen to 15 controls.
16 So we have tried to do that and tried to 17 look at the total group of digital assets. And what 18 the staff is going to talk about in a minute is how 19 we're further evaluating that and further looking at 20 how we can grade that.
21 So the staff conducted the assessment in 22 2019, provided an action plan to management in the 23 fall of 2019. And the action plan identified a number 24 of areas that the staff felt were worthy to be 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
39 evaluated as part of our program.
1 Those areas are listed on this slide. And 2
we broke -- and we further broke them down into 3
prioritization of things that we would look at.
4 Our initial focus areas were primarily 5
looking at digital asset identification, analysis and 6
protection in the areas of emergency preparedness, 7
balance of plant, safety-related and important safety 8
systems and -- did the slides just drop?
9 CHAIR BROWN: Yes. You're okay. I just 10 compared it to mine on my other computer so.
11 MR. BEARDSLEY: All right. They just 12 dropped from my computer but hopefully they're still 13 there.
14 CHAIR BROWN: It just stayed.
15 MR. BEARDSLEY: So the staff is going to 16 speak to each one of those four areas in detail on the 17 following slides. In addition, the staff and industry 18 identified -- or excuse me. The staff and the Office 19 of Inspector General during their audit of our 20 inspection program identified opportunities to 21 performance inform our inspection program. And the 22 staff is actively developing a new inspection 23 procedure that we believe is focused on licensee 24 performance and performance informing our oversight.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
40 There we go. The next area the staff 1
focused on was the best practices for digital asset 2
assessment. And those best practices have been 3
incorporated into the current revision of Regulatory 4
Guide 5.71 that is in the review process. Finally --
5 MEMBER HALNON: Jim.
6 MR. BEARDSLEY: -- I'm sorry, yes.
7 MEMBER HALNON: Jim, on 5.71 is the NEI 8
document keeping pace with it since 99.9 percent of 9
the plants are committed to the NEI document?
10 MR. BEARDSLEY: At this time, NEI has not 11 decided whether or not they're going to update NEI 08-12 09, which is the document that they based their cyber 13 security plans on. So that will be a question that 14 industry evaluates once the Regulatory Guide is 15 complete.
16 MEMBER HALNON: Okay.
17 CHAIR BROWN: Well, they are updated. I 18 guess, it looks like you have all interacted with them 19 on what, 13-10 and --
20 MR. BEARDSLEY: 10-04.
21 CHAIR BROWN: -- conditional 4.
22 MR. BEARDSLEY: Right.
23 CHAIR BROWN: But yet, I had never seen 24 08-09 even referenced. So I'm not familiar with that 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
41 one at all. But that's the primary one. I guess we 1
need to find that one.
2 MR. BEARDSLEY: Okay. We can make that 3
available to you as well.
4 CHAIR BROWN:
That would be much 5
appreciated.
6 MR. BEARDSLEY: Okay. The other two 7
areas, clarification of program definitions and terms 8
was identified by both industry and the staff because 9
there are a number of guidance documents. There's an 10 NEI guidance document and there's a staff guidance 11 document. And what we found was in some cases our 12 definitions and terms weren't the same.
13 So we're working with industry to try and 14 clarify that and make sure we're all speaking to the 15 same definitions. And that's an ongoing effort as we 16 update various different documents.
17 And finally the area of risk-informing 18 control sets for digital assets, that's really looking 19 at the future and how do we potentially come up with 20 other methodologies that are different from that laid 21 out in Reg Guide 5.71 or potentially the NEI 08-09 for 22 implementation of cyber security programs in the 23 future? Again, that's an ongoing effort that includes 24 the Part 53 rulemaking and other areas that industry 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
42 is evaluating.
1 Now I'm going to turn it over to Mario 2
Fernandez, who is going to discuss our changes to the 3
emergency preparedness digital assets. If I can 4
change the slide, oh, went too far. There we go.
5 MR. FERNANDEZ: Thank you, Jim. This is 6
Mario Fernandez, Cyber Security Specialist in the 7
Cyber Security Branch. As Jim Beardsley stated in the 8
most recent assessment of the program, several areas 9
were identified as areas for further risk informing to 10 improve the efficiency and effectiveness of the power 11 reactor cyber security program.
12 One of those areas identified is the 13 emergency preparedness critical digital asset 14 determination or what we call for a short term, EP 15 CDAs.
16 Recognizing that an evolving program can 17 benefit from lessons learned, the cyber security staff 18 evaluated the proposed changes by the industry through 19 EP CDA determination and the NEI guidance, which is 20 related to Section Bravo 1 of 10 CFR 73.54, which 21 requires licensees to analyze digital computer 22 communication assistance and networks and identify 23 those assets that must be protected against cyber-24 attacks.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
43 The review and evaluation process required 1
two public meetings. One public meeting that took 2
place in November of 2019 and another meeting that 3
took place in August of 2020.
4 Many iterations of the proposed changes, 5
various reviews and evaluations by the NRC staff, 6
reaching alignment into the NRC industry to ensure the 7
proposed changes meet the requirements of 10 CFR 73.54 8
and finally a tabletop workshop conducted in August of 9
2020 to ensure implementation of the guidance is 10 consistent with NRC approved implementation, 11 strategies or approaches.
12 The new and improved guidance for EP DA 13 screening, or digital asset screening, accomplishes 14 the following.
15 It adopts a more risk-informed approach, 16 that is an asset is identified for protection 17 commensurate with the risk significance of that asset.
18 And this approach is aligned with NRC emergency 19 preparedness requirements and emergency
- plans, 20 licensee emergency plans.
21 The enhanced EP DA screening methodology 22 is more granular and considers methods and criteria 23 that gives licensees the flexibility to take credit 24 for methods that are required in the EP regulations 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
44 and the licensee's emergency plans.
1 This screening methodology provides 2
efficiency and effectiveness to the power reactor 3
cyber security program because it reduces the number 4
of digital assets incorrectly identified for 5
protection thus allowing licensees to reallocate its 6
resources to the safety and security areas.
7 The Cyber Security Branch staff evaluated 8
these changes and determined that this proposal is 9
consistent with NRC approved implementation strategies 10 or approaches described in NRC Regulatory Guide 5.71, 11 Cyber Security Program for Nuclear Facilities.
12 These changes will be incorporated in 13 future revisions of NEI 10-04, Revision 2, titled, 14 Identifying Systems and Assets Subject to the Cyber 15 Security Rule and NEI 13-10, Revision 6, titled, Cyber 16 Security Control Assessments.
17 CHAIR BROWN: Can I ask a question on 18 this, on the 13-10 and 10-04?
19 MR. FERNANDEZ: Yes, Member Brown, please.
20 CHAIR BROWN: You all had -- part of the 21
-- thank you. As part of the documentation you sent, 22 there were two submittals to the NRC from NEI that 23 covered changes to both 10-04 and 13-10. And there 24 were subsequent letters which went back to NEI which 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
45 said that they were -- and I've read it as best I 1
could on your terminology, they were consistent with 2
what you all thought. In other words, you didn't 3
disagree with them.
4 Let me finish my thought process a little 5
bit. I'm a little bit slow here. With that thought 6
in mind, correct me if I'm wrong, the emergency 7
planning efforts are largely carried out -- correct me 8
if I'm wrong, from the emergency support center. If 9
there was a program, it's outside of the plant 10 boundaries. Am I correct on that?
11 Normally, we see an ESC that's not within 12 the plant, but it's out on the site within the 13 boundary conditions. And you need to communicate bi-14 directionally in many, many different ways. So it 15 would seem to me that this is a pretty strong area to 16 have to pay attention to since you don't want guidance 17 or requests to do certain things to be compromised in 18 those interchanges.
19 I just -- this seems to me a big threat 20 problem to me. That's why I'm asking the question.
21 Is that part of the overall -- I mean, obviously 22 you've got to do bidirectional communications all over 23 the place. You've got to let NRC know. You've got to 24 let these people know. The governor has got to know, 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
46 et cetera.
1 That seems to be a tough challenge today.
2 Do you do it independently? Do you segregate some 3
systems or is it a combination of those?
4 MR. FERNANDEZ: Member Brown, you are 5
partially correct. Licensees, depending on where the 6
EP digital asset is located, its function, they 7
perform the analysis and then they make the 8
determination whether the EP function can be performed 9
or not.
10 If the EP function cannot be performed 11 because the digital asset is cyber compromised, let's 12 say, then the licensee is required to provide 13 protections for that particular digital asset. That's 14 the granularity that exists in the enhanced 15 methodology. Does that answer your question, Member 16 Brown?
17 CHAIR BROWN: Well sort of. I mean, it's 18 my impression if you look at what's been going on in 19 other industries today, hackers have been getting in 20 and turning things around and starting stuff that 21 shouldn't be started. Shutting down stuff that 22 shouldn't be shut down.
23 And so all of your -- my feeling is most 24 of the cyber protection functions are reactive. All 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
47 your virus protections are basically reactive. So 1
you're fighting the last battle. In other words, 2
you're fighting the last war that tried to get 3
through, not the current war that may come and get 4
you.
5 Are there any what I call hardened data 6
communication pathways which implement using a data 7
diode or hard-wired type stuff as a backup? It 8
doesn't have to be as extensive, but something what I 9
call a backup to the more flexible digital approach.
10 MR. FERNANDEZ: Yes, Member Brown, you are 11 correct. So there are digital assets as you have 12 mentioned that are hardened, and they may be behind 13 the data diode. Those digital assets are required to 14 be fully protected.
15 And, therefore, throughout inspections we 16 have verified that the licensee is putting all the 17 appropriate security controls, physical as well as 18 logical, in those EP digital assets that are supposed 19 to be fully protected. And all the digital assets 20 that required a certain level of protection, they also 21 rely upon performing the EP function with other means, 22 which the methodology allows licensee -- and provides 23 the flexibility to do so.
24 CHAIR BROWN: Okay. Thank you very much.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
48 I appreciate it.
1 MR. FERNANDEZ: Yes, Member Brown. And 2
now I will introduce my colleague, Dan Warner, who is 3
going to speak about the balance of plant digital 4
asset determination. I turn it over to you, Dan.
5 MR. WARNER: Thank you, Mario. Good 6
afternoon. And for those participating, we are on 7
Slide 10. My name is Dan Warner. And I'm an IT 8
Specialist Cyber in the Cyber Security Branch. And 9
I'm here to discuss changes to balance of plant, or 10 BoP, CDA determination guidance. BoP CDAs -- I'm 11 sorry.
12 CHAIR BROWN: This is Charlie Brown again.
13 I'm sorry to interrupt -- well, I'm not sorry to 14 interrupt. I actually have a question so.
15 MR. WARNER: Sure. Please go ahead.
16 CHAIR BROWN: I'm not quite as versed in 17 all the nomenclature inside the plants, balance of, I 18 think, in terms of, you know, rod control systems and 19 ESFAS systems, reactor trip, I call those reactor 20 safety systems.
21 But you've obviously got switch gear, 22 turbine generators. Is that balance of plant or 23 miscellaneous other pumps and valves that have to be 24 operated? I don't know where the dividing line is 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
49 between what I traditionally deal with and what people 1
refer to as balance. Do you have an example of what 2
balance of plant stuff is for poor little me?
3 MR. WARNER: So your balance of plant 4
stuff is pretty much the power generating portion of 5
the plant. So past any safety systems on the turbine, 6
essentially from the generator outward to the first 7
inter tiebreaker to the grid.
8 CHAIR BROWN: Okay. Okay. So it's right 9
after the generator to connect again to the grid then.
10 It's all that stuff.
11 MR. WARNER: Yes. And there are systems 12 that would be associated with the turbine that are 13 non-safety related or generator as well that would be 14 included in that.
15 CHAIR BROWN: You mean, like voltage 16 regulators and governors, I mean, those type of 17 support that actually make them run and operate or is 18 it the cooling systems for the turbine generator? Is 19 it all that stuff?
20 MR. WARNER: Yes. Some of the plants, I 21 think, define the area a little differently. But in 22 general, we typically call it the stuff that's used to 23 just actually make the power as opposed to the main 24 steam system with the reactor --
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
50 CHAIR BROWN: Okay.
1 MR. WARNER: -- and through there.
2 MEMBER HALNON: Charlie, think turbine 3
building.
4 CHAIR BROWN: I got it. That's a nice 5
definition. Thank you very much. Okay.
6 MR. WARNER: Thank you.
7 CHAIR BROWN: You're welcome.
8 MR. WARNER: So BoP CDAs are those CDAs 9
that were added to the scope of the Cyber Security 10 Rule during the resolution of FERC Order 706-B.
11 Industry proposed aligning the BoP CDA evaluation 12 criteria with the review NERC CIP standards, which are 13 based on impact to the bulk electric system.
14 What this means is that BoP digital assets 15 that can result in a loss of power to the bulk 16 electric system of 1,500 megawatts or less are low 17 impact and have a reduced set of cyber security 18 requirements.
19 BoP digital assets that can result in a 20 loss of power to the bulk electric system of greater 21 than 1,500 megawatts are medium impact and have a 22 greater set of controls which are similar to our 23 current BoP CDAs.
24 The grid operator can also indicate a 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
51 plant as medium impact under specific circumstances to 1
maintain grid operation and reliability.
2 Most BoP CDAs will end up in the low 3
impact category. This will allow licensees to reduce 4
the number of controls on a significant number of CDAs 5
and instead focus their resources on those assets with 6
a higher safety significance.
7 As you can see on the slide, we had a 8
number of public meetings to discuss the document.
9 The initial public meeting occurred in 10 January 2020 and then NEI first submitted the paper in 11 April of 2020. We addressed concerns and fed them 12 back to NEI. And they submitted a revised paper to 13 address those concerns in July of 2020.
14 FERC staff were involved throughout the 15 review of the proposed guidance changes, and they were 16 satisfied with the final document.
17 In August of 2020, NRC staff included the 18 proposed changes in the paper are consistent with the 19 requirements of 10 CFR 73.54 as well as the NRC 20 approved implementation strategies or approaches 21 described in Reg Guide 5.71 and NEI 08-09, Rev. 6.
22 And as Mario mentioned previously, these 23 changes we are discussing will all be rolled up into 24 future revisions in NEI 10-04 and NEI 13-10. And if 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
52 there's no questions, here's Eric Lee to talk about 1
the safety-related and important to safety white 2
paper.
3 MEMBER HALNON: Hey, Dan, this is Greg 4
Halnon.
5 MEMBER KIRCHNER: This is Walt Kirchner.
6 MR. WARNER: Okay.
7 MEMBER KIRCHNER: You are implementing a 8
FERC order. So I'm not asking you to comment on this.
9 I would just observe that the threshold of 1,500 10 megawatts is very high. I guess FERC doesn't rule 11 over ERCOT, but events in Houston would suggest a 12 lower threshold in terms of the critical importance of 13 nuclear power. You don't have to comment.
14 MR. WARNER: Okay. Thank you.
15 MEMBER HALNON: Dan, this is Greg Halnon.
16 Did you guys -- I mean, early on, there was a concern 17 that FERC and the NRC might be onsite doing different 18 types of oversight on the same systems. Did you guys 19 get an MOU or something with FERC to cover their 20 systems?
21 MR. WARNER: That is correct. When this 22 order was initially issued back in 2009, they put 23 together a Memorandum of Agreement between FERC and 24 the NRC that documents that NRC is going to be 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
53 cognizant of everything from the first inter-1 tiebreaker into the plant that maintains one regulator 2
within the plant.
3 MEMBER HALNON: What ongoing discussions 4
did you guys have at FERC? Do you have incoming 5
reports that you give them or any kind of assurances 6
or anything relative to your inspection process?
7 MR. WARNER: I'm going to ask Jim to chime 8
in. I know there are commission meetings between FERC 9
and the NRC, and I'm not sure if these are involved.
10 So I'll let him weigh in on that.
11 MR. BEARDSLEY: During the every two year 12 FERC and NRC Joint Commission meeting, the staff does 13 provide an update on the inspection program and what 14 we've found, but we do not have a routine reporting 15 process for FERC. If we did find significant issues 16 in a licensee site, the staff does have routine 17 communications with FERC staff, and we would inform 18 them thereof.
19 MEMBER HALNON:
And I
was really 20 interested in vice versa, where non-nuclear facilities 21 may come up with some issue or lessons learned or 22 other issues that may have happened from a cyber 23 perspective. How do you guys get word of that?
24 MR. BEARDSLEY: The staff has a number of 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
54 different liaisons with the Department of Homeland 1
Security in particular. And we're establishing 2
various lines of communication with the new Department 3
of Energy agency that's responsible for cyber, and I 4
can't remember what their acronym is.
5 And so that's really where we would do our 6
interagency liaison. We also have a full branch in 7
NSIR whose primary responsibility is intelligence 8
analysis and interagency liaison. So we have multiple 9
different lines of communication.
10 MEMBER HALNON: Okay. So is there no one 11 national clearing house that accepts all the cyber 12 issues or is that DHS?
13 MR. BEARDSLEY: That's DHS CISA, that's 14 Cyber and Infrastructure Security Agency.
15 MEMBER HALNON: Okay. And then it all 16 feeds out from that.
17 MR. BEARDSLEY: Correct.
18 MEMBER HALNON: It feeds in and feeds out 19 from there. Okay.
20 MR. BEARDSLEY: Correct.
21 MEMBER HALNON: Thanks.
22 MR. WARNER: Okay. If there are no more 23 questions then Eric, take it away.
24 MR. LEE: Thank you, Dan and good 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
55 afternoon. My name is Eric Lee from the Cyber 1
Security Branch. And I'm a Senior Cyber Security 2
Specialist. And I'm on Slide Number 11.
3 This white paper does safety-related and 4
important to safety white paper is a sister paper to 5
the BoP white paper that my colleague, Dan, just 6
explained.
7 Like the BoP white paper, safety-related 8
and important to safety white paper provides proposed 9
changes to NEI 10-04 and NEI 13-10.
10 As stated previously, the focus of the BoP 11 white paper is providing guidance for identifying BoP 12 CDAs that were added to the scope of the Cyber 13 Security Rule as an important to safety CDA during the 14 resolution of FERC Order 706-B.
15 However, the focus of the safety-related 16 and important to safety white paper is providing 17 guidance for identifying those digital assets that the 18 Cyber Security Rule originally intended to identify as 19 safety-related and important to safety CDAs.
20 The term safety-related is defined in the 21 regulations. However, the term important to safety is 22 not even though the term is used in the NRC 23 regulations and used throughout the history of the 24 NRC.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
56 As a result, everyone seemed to have a 1
picture or an idea of what important to safety systems 2
and equipment should be. But the picture that 3
everyone draws in their mind may not be the same.
4 So guidance provided in the white paper 5
aligned the term safety-related to the definition 6
provided in 10 CFR 50.2 and closely aligned the term 7
important to safety to how the NRC historically used 8
this term.
9 This ties safety-related and important to 10 safety systems and equipment for the purpose of 11 identifying safety-related and important to safety 12 CDAs to those systems and equipment that are 13 accredited to meet the licensees current licensing 14 basis to shut down the reactor, maintain it in a 15 shutdown condition and prevent the release of a 16 radioactive material during the event and accidents to 17 meet its current licensing commitments or its current 18 design basis.
19 Additionally, any systems and equipment 20 that meets the following two conditions are protected 21 as safety-related or important to safety CDAs. One, 22 any system or equipment that functionally interfaces 23 with the safety-related or important to safety 24 equipment that I mentioned earlier.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
57 Two, if a compromise of a cyber attack of 1
a subsystem and equipment interfacing with the safety-2 related and important to safety equipment could 3
adversely impact the safety-related or important to 4
safety function, if that is so, then they are 5
protected in the same manner as the safety-related or 6
important to safety CDA.
7 This white paper took a year to develop.
8 It began in August of 2019 when NEI and the NRC met to 9
discuss the concept of safety-related and important to 10 safety system and equipment for the purpose of 11 identifying CDAs.
12 A year later in August of 2020, the NRC 13 accepted the white paper after NEI addressed the 14 staff's comments on its white paper that NEI submitted 15 in May of 2020.
16 Staff provided its comment in a public 17 meeting in June 2020. This allowed licensees to use 18 the guidance provided in the white paper before NEI 19 updates 10-04 and NEI 13-10. Any questions?
20 MEMBER HALNON: This is Greg Halnon. I 21 have a question. It may be more for the Branch 22 Chiefs. But is this the typical regulatory process?
23 I thought typically that NEI would write a document.
24 The NRC would endorse it through a Reg Guide. But it 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
58 appears that we're kind of paralleling that with white 1
papers and NEI documents that are agreed to and a Reg 2
Guide that's only being used by one licensee.
3 Is that the way that we have planned this?
4 Was there some other thing behind the scenes that's 5
going on?
6 MR. BEARDSLEY: Greg, that's a good 7
question. Planning it is a little bit challenging.
8 Because we knew there were a series of changes that 9
were going to happen to these guidance documents, but 10 through the assessment process and the feedback we 11 received from stakeholders, we recognize that these 12 were areas that we felt were important to be 13 addressed.
14 The industry elected to submit a series of 15 white papers while it's trying to update the documents 16 in a sort of parallel fashion, which would have been 17 very challenging.
18 So it does seem a little strange the way 19 it played out. But it provided the industry the 20 feedback in these areas more quickly than they would 21 have had we had to wait until the guidance documents 22 had been updated for each one individually.
23 When they're done, which we are done now 24 with all four of the white papers, industry is 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
59 preparing a comprehensive update to each of these 1
guidance documents. And the staff will have the 2
opportunity to review that in total.
3 MEMBER HALNON: Do you anticipate you'll 4
endorse those through a Reg Guide or some other more 5
established mechanism?
6 MR. BEARDSLEY: As a general practice, we 7
have not endorsed the NEI guidance documents for cyber 8
through Reg Guide. We have accepted them for use by 9
letter.
10 MEMBER HALNON: Okay. That seems like a 11 one-off as well but maybe it's been done in the past.
12 I just didn't know.
13 CHAIR BROWN: If you've accepted those --
14 I tried to look at some of these white papers. I 15 couldn't define everything. I was looking for the 16 ones that defined these safety-related and important 17 to safety functions. And I was trying to get a 18 definition of what that was. I didn't see a clear 19 definition of what somebody claimed to be safety-20 related or any examples. Was that deliberately left 21 out in terms of providing examples for what that 22 means? It's pretty wordsmithed in most of the places 23 I was able to find.
24 MR. BEARDSLEY: So just for context, this 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
60 particular white paper is different than the other 1
three in that we wrote a number of inspection findings 2
in this area because the licensees had underprotected 3
the systems. So they had classified systems that we 4
felt should have had a full suite of controls as 5
having a lesser suite of controls.
6 And so the goal of this effort was to be 7
very clear to industry on what needed to be protected 8
more and what needed to be protected less. And I 9
think Eric would agree with me that the result is more 10 systems will be protected as a result of this part of 11 the initiative.
12 MR. LEE: And certainly, Member Brown, to 13 your point, to help the licensees and the inspectors 14 understand what systems and equipment should be 15 considered safety-related and important to safety for 16 the purposes of identifying critical digital assets, 17 we have provided the 10 steps to identify what systems 18 are considered safety-related and what systems are 19 considered important to safety CDAs.
20 CHAIR BROWN: Are those in the white 21 papers? One white paper I found on safety-related 22 versus and affected -- I guess, it was an NEI document 23 dated July 17, 2020, and it showed changes to NEI 10-24 04 and 13-10. And it was all related to the -- let me 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
61 get the title correct so I don't mess that up --
1 safety-related and items important to safety.
2 But they refer to things like integrity, 3
the reactor coolant boundary, the capability to shut 4
down. Some of that didn't change. But then a lot --
5 there were a lot of red markups when you got to the 6
changes which didn't seem to relate.
7 I'm kind of echoing Greg's thought 8
process. It seemed backwards. I would have expected 9
instead of these things showing up in industry 10 documents, I would have thought that they would have 11 ended up being categorized within, you know, 5.71 or 12 something like that to categorize this particular 13 terminology to make sure there was one consistent NRC 14 document that told people what was what, what was 15 safety-related and what qualified as important to 16 safety. But as opposed to that, you have to now go to 17 all these other documents.
18 I haven't read any of the revisions. I've 19 tried to look through parts of the new 5.71, but it's 20 increased considerably in size from 114 pages to 144 21 or something like that. So it got a little bit 22 difficult to go side-by-side and compare them.
23 So it just seemed a little bit backwards.
24 I guess that's a little bit of a concern is how well 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
62 is this stuff defined?
1 MEMBER KIRCHNER: This is Walt. Eric, is 2
this defined in your white paper?
3 MR. LEE: Yes, sir.
4 MEMBER KIRCHNER: Did you see any of that, 5
Charlie?
6 CHAIR BROWN: The only paper I had that I 7
saw was a white paper on this was an NEI Document 8
E200-717-TE040841 dated 7/17/20, changes to the NEI 9
documents. And I didn't see another white paper in 10 anything we got. I saw then there was a response to 11 that.
12 MEMBER KIRCHNER: Well, Charlie, this is 13 a side observation, but this is very important and 14 useful for 10 CFR 53 deliberations because clearly in 15 10 CFR 53 draft rule language, they're going to have 16 to deal with definitions.
17 This approach that Eric has described 18 strikes me as a functional approach that could be, you 19 know, getting beyond the 10 CFR 50.2 definition of 20 safety-related to a more generic technology inclusive 21 definition. What the staff has done here might be 22 very relevant to the 10 CFR 53 development.
23 MR. BEARDSLEY: Yes, we'll be discussing 24 at a high level our first 10 CFR 53 cyber security.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
63 But I think that -- I agree that the appearance of 1
just looking at the white papers can be confusing. We 2
will be receiving a markup of the guidance documents 3
from NEI in the next few months. And I think that 4
once you see all of the changes associated with the 5
document, it will be much clearer how this all works.
6 And so what industry is going to do is 7
they take the white paper that Eric addressed and then 8
they'll go implement the changes in the white paper to 9
their own implementing procedures, which are based on 10 the NEI guidance documents.
11 So it's clearer to the user than it is to 12 maybe the casual reader.
13 MEMBER KIRCHNER: Yes. But for our 14 purposes put the NEI aside that's more of an industry 15 position. It's the staff's position that I'm the most 16 interested in. Is this white paper available to us?
17 MR. BEARDSLEY: Yes. It's the paper that 18 Member Brown mentioned a moment ago.
19 CHAIR BROWN: If that's the July -- that's 20 the July 23 -- that letter number that I wrote or 21 referenced? I think it was the E200-717-T040841 of 22 7/17/20?
23 MR. BEARDSLEY: We'll verify that for you 24 and make sure that you have the right one. I believe 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
64 that is correct.
1 CHAIR BROWN: It was about 19 pages long.
2 And it had a lot of red inside the document. And 3
those changes were to NEI 10-04 and then I think at 4
the very end, they got into 13- --
5 MR. BEARDSLEY: 13-10, correct.
6 CHAIR BROWN: -- 13-10, correct. But they 7
referenced, I guess, one of the sets of words that I 8
had highlighted where they had talked about stuff that 9
could be thrown in to some other category. I couldn't 10 figure it out.
11 It was examples of equipment that does 12 something. It would be electrical equipment powered 13 from the 1E tire supplies and are classified under the 14 1.97. So it started tossing around Reg Guides like 15 candy at a child's party. I lost track of what was 16 going on.
17 I wasn't able to read that entire white 18 paper and understand it relative -- I just got the NEI 19 document a day or so ago. So it just seems --
20 (Simultaneous speaking.)
21 MEMBER KIRCHNER: Well, Charlie, I'm just 22 repeating myself, but the staff's position is what I'm 23 interested in --
24 CHAIR BROWN: Yes.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
65 MEMBER KIRCHNER: -- not a markup by NEI.
1 CHAIR BROWN: This is NEI's document. I 2
agree with you.
3 MEMBER KIRCHNER: This is a fundamental 4
important thing in developing the10 CFR 53 rule.
5 CHAIR BROWN: I agree with you. It's just 6
a matter of how do you get these things integrated 7
together? And you don't want to develop another rule 8
that has another set of terminology that you have to 9
deal with so. Okay. So we're informed of what you're 10 doing. Any other questions before we move on? Okay.
11 Eric.
12 MR. LEE: Thank you. Now, here is Brian 13 Yip to talk about the security white paper. Brian?
14 MR. YIP: All right. Thanks, Eric. Good 15 afternoon. My name is Brian Yip. I'm a Cyber 16 Security Specialist in the Cyber Security Branch in 17 NSIR. And I'm going to talk about the final white 18 paper for this afternoon, which addresses critical 19 digital assets related to physical security systems.
20 And like the others, it proposes changes 21 to NEI 10-04 and NEI 13-10 to clarify guidance on how 22 to identify physical security critical digital assets 23 and the appropriate controls to apply to them. And I 24 focused on four areas.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
66 First, it tied the definition of a 1
physical security function, you know, when we talk 2
about safety security and emergency preparedness 3
functions, it tied the physical security functions to 4
the physical security regulations in 10 CFR 73.55(b).
5 So, for example, access control systems, 6
physical barriers, you know, alarm intrusion detection 7
systems, assessment systems, so it makes clear the 8
list of physical security functions that need to be 9
protected from a cyber perspective.
10 The paper also provides guidance on what 11 it refers to as digital security tools. And these are 12 devices that licensees in some instances use such as 13 like a digital range finger or a digital rifle scope.
14 These are things that may be used from a security 15 perspective but don't really meet the intent of 16 performing a security function.
17 So the paper gives licensees a guidance 18 that if they evaluate these devices, they would still 19 need to evaluate them. And they confirm that the 20 device does not perform a security function and that 21 it cannot adversely impact -- the compromise of it 22 could not adversely impact a safety security or 23 emergency preparedness function, then they don't need 24 to consider those devices to be critical digital 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
67 assets.
1 The paper also gives licensees an 2
alternative means to address security support systems.
3 An example of that would be an HVAC system that 4
provides cooling to the central alarm station or the 5
security computers.
6 And similar to the approach taken with 7
emergency preparedness, if licensees establish 8
procedures and training to implement alternate means 9
to provide that support function and they do it in a 10 way that prevents an adverse impact to the security 11 function that it's supporting, then that device 12 performing a support function does not need to be 13 protected as a CDA.
14 And lastly the paper provided additional 15 guidance on the protection of digital assets used for 16 access authorization.
So computers used for 17 background checking programs, granting access to the 18 plant, et cetera.
19 And it addressed a number of different 20 configurations and scenarios that we see with 21 licensees in the field. Some licensees protect their 22 digital assets for access authorization at the highest 23 levels of their network. Others rely on offsite 24 corporate assets to perform some access authorization 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
68 functions. So this paper provides additional guidance 1
on how licensees should classify and protect those 2
digital assets in each case.
3 It also describes how licensees must 4
verify the data integrity if they take access 5
authorization data, such as somebody was approved for 6
plant access, all that badging information, when it's 7
transferred onsite to the plant security computer, it 8
gives licensee's requirements that they have to 9
perform a secondary verification to make sure that 10 data integrity was maintained when that data was 11 transferred to the plant security computer.
12 On further review of this white paper, we 13 had some initial discussions with NEI in mid to late 14 2020 and then NEI submitted a draft in December 2020.
15 We held a public meeting in January 2021, 16 and provided NEI with comments, staff comments in 17 April of 2021.
18 Our comments centered around ensuring that 19 there was sufficient detail in the access 20 authorization section to ensure proper implementation 21 that covered all of the various licensee 22 configurations that we've seen and also ensured that 23 there was sufficient detail in the security support 24 system guidance to ensure that it protected against 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
69 adverse impact to the security functions that it's 1
supporting.
2 NEI submitted another revision that we 3
reviewed and found consistent with the NEI 08-09 in 4
June of this year. And as with the other white 5
papers, licensees can implement these changes now or 6
they can, you know, wait for the full revision to NEI 7
10-04 or NEI 13-10 if they wish.
8 Any questions on physical security? Okay.
9 With that, I'll turn it back over to Jim. Thank you.
10 MR. LEE: Jim, you are muted.
11 MR. BEARDSLEY: That was going to happen 12 eventually. As I noted earlier, when the staff 13 performed our program assessment in 2019, the Office 14 of Inspector General also conducted an audit of the 15 cyber security inspection program at the same time.
16 And both of those processes identified opportunities 17 to further performance inform our inspection program.
18 The staff has taken the lessons learned 19 from our full implementation inspections conducted 20 from 2017 through 2021 and developed a new inspection 21 procedure that will be incorporated into the reactor 22 oversight process inspection cycle.
23 The inspections have been shortened from 24 two weeks to one week and will be conducted on a two 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
70 year basis versus a three year basis.
1 The inspections will be based on having 2
two regional inspectors and two subject matter expert 3
contractors similar to the inspections we've conducted 4
to date.
5 We are providing opportunities in the 6
inspection procedure for licensees to provide the 7
staff with performance metrics information or 8
potentially performance testing information on 9
replicas of their systems. If they do that, the staff 10 will evaluate the information and may reduce the 11 resources assigned to the inspections.
12 The staff hopes to have this inspection 13 procedure approved in August and plans to conduct a 14 series of public meetings with industry and 15 stakeholders to discuss implementation of the 16 inspection procedure prior to the start of inspections 17 in January of 2022.
18 Are there any questions about our future 19 inspection program? Okay. I will be followed by 20 Juris Jauntirans, who will discuss our cyber security 21 efforts associated with the Part 53 rulemaking 22 program.
23 MR. JAUNTIRANS: Good afternoon. As Jim 24 said, my name is Juris Jauntirans. I'm a Cyber 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
71 Security Specialist within the Cyber Security Branch.
1 During my portion of the brief, we will be on Slide 2
14.
3 In Part 53, NSIR staff aims to develop a 4
technology inclusive regulatory program for advanced 5
reactors that applies a performance-based graded 6
approach for a comprehensive range of security areas, 7
including physical
- security, cyber
- security, 8
information security, fitness for duty and access 9
authorization.
10 This proposed regulatory framework will 11 offer applicants flexibility to rightsize the program 12 by providing performance-based requirements that are 13 commensurate with the risk to public health and 14 safety. Both of the physical security and the cyber 15 security sections in Part 53 are going to point to new 16 sections within Part 73 and for cyber security, that's 17 going to be Part 73.110.
18 In this new section of Part 73, the staff 19 specifies cyber security requirements for the 20 protection of digital computers, communication systems 21 and networks for advanced reactors. And we presented 22 the proposed language at a June 10 public meeting.
23 While 10 CFR 73.54 provides a good 24 framework for cyber security operating reactors, the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
72 staff feels that advanced reactors require a more 1
flexible approach to adapt to the wide variety of 2
technology that advanced reactors could potentially 3
represent.
4 CHAIR BROWN: Why?
5 MR. JAUNTIRANS: With that in mind -- I'm 6
sorry.
7 CHAIR BROWN: Why? I mean, a reactor is 8
a reactor. Why does an advanced reactor -- why does 9
it need more flexibility than the regular reactor 10 plants that we have today?
11 MR. JAUNTIRANS: We were given the task --
12 CHAIR BROWN: That's the next statement.
13 MR. JAUNTIRANS: Okay. That's a good 14 point, sir. We were given the task to develop a 15 graded approach because of the variety of 16 technologies.
17 We can go from a very, very small source 18 term, very, very small reactors all the way to 19 something that's as big or larger than the current 20 light-water fleet and because the varied types of 21 control systems that a cookie-cutter approach from 22 73.54 would not necessarily be the best approach. And 23 we are currently in a draft. And we would be happy to 24 accept any other --
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
73 CHAIR BROWN: Did we lose you?
1 MR. JAUNTIRANS: -- on the draft rule.
2 CHAIR BROWN: Why in the world would the 3
cyber security requirements be worried about whether 4
you had a low source? I mean, you don't want a 5
reactor plant regardless of the source term to be 6
hacked, destroyed, rendered, you know, unusable or be 7
dangerous in any way, shape or form than it regularly 8
would. Just because it may not contaminate as large 9
of an area, we let guys freewheel in and do what they 10
-- I'm being facetious a little bit with my statement.
11 I'm overstating the point just to make the point.
12 It just doesn't seem to make sense that 13 source term would be used to define the level of cyber 14 security or the allowance for less or a more 15 penetrable type cyber security then you would involve 16 on a large light-water reactor.
17 MR. JAUNTIRANS: So source term is not the 18 only criteria. And I believe Michele Sampson here has 19 appeared on the screen. I think she's got something 20 to add here.
21 MS. SAMPSON: Thanks so much, Juris. I 22 just wanted to make the point that our intent in the 23 Part 53 rulemaking effort is to provide an equivalent 24 level of safety and to develop regulations that are 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
74 technology inclusive.
1 So we certainly are not looking to provide 2
anything that would be a lower level of safety. The 3
regulations will provide an equivalent level of safety 4
but also provide a performance-based approach that 5
will enable or ensure that applicants consider the 6
range of, you know, potential hazards that may exist 7
with the different technology designs.
8 So, you know, it's certainly not our 9
intent that the regulation is lesser. It is just 10 technology inclusive and very performance based.
11 CHAIR BROWN: Well, all of these were 12 performance based. I mean, the stuff we are putting 13 in today are performance based. They are technology 14 inclusive, and they are technology neutral. You can 15 do them multiple different ways. So those words, 16 pardon my French, seem to be injected into a lot of 17 these different conversations these days relative to 18 what we're doing.
19 The connection we have in general is stuff 20 that's going to be the same across platforms, we 21 shouldn't make them different or think they should be 22
-- this is a personal opinion now. This is not a 23 committee opinion. I want to make that clear.
24 I just have a hard time understanding why 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
75 we can allow a wireless connection into a plant where 1
it can be totally hacked and melted down because it's 2
an advanced reactor, because it's got a little source 3
term, I'm saying that speculatively, when we wouldn't 4
allow that type of stuff in a large light-water 5
reactor.
6 It's just the thought process. I think we 7
have to -- there are some things you have to protect 8
against. And cyber is a very vulnerable area on any 9
plant that we put out in the field that NRC puts their 10 name behind.
11 MEMBER BLEY: Charlie?
12 CHAIR BROWN: Yes.
13 MEMBER BLEY: They haven't said they are 14 going to allow wireless on a new plant. They said 15 they're going to maintain the same level of safety.
16 And I'll take you back to a meeting we had a couple 17 years ago on this topic when you very much, and I was 18 with you, were worried that the level of effort we 19 were forcing people into and looking at critical 20 assets was going to cost more than is reasonable.
21 And I personally see if there's a low 22 chance of harm, we don't need to pour as much effort 23 in as if there's a high chance of harm. And I'd give 24 them the chance to come up with something. Now 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
76 they're saying they will maintain the same level of 1
safety. We've got to see what that means. But 2
dismissing that as not possible at least to me doesn't 3
seem reasonable.
4 CHAIR BROWN: I'm thinking more of access 5
than I am anything else. And I agree with you. I've 6
always worried that we can overdo the CDA routine and 7
beat the licensees to death. You're correct. I've 8
said that before, and I will say that again right now.
9 I don't want to impose.
10 I like to categorize systems, those that 11 really are related to safety. And those that aren't 12
-- so they get compromised, you can recover and don't 13 worry about it because you just may lose some data.
14 You may lose some of this. But the world is not going 15 to end.
16 And I've always worried that we've applied 17 too many rules to stuff that don't need a lot of 18 rules. So it's a double-edged sword, but I don't like 19
-- I'm just worried about people thinking access can 20 be maybe a little bit easier because the outcome or 21 the results may not be as bad.
22 And I just think it's bad for any reactor 23 plant to be viewed as a potential hazard. It's hard 24 enough getting them built these days without adding 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
77 impressions to people that they're just not as safe as 1
they used to be. It's just a thought -- that's just 2
my thoughts. That's all. I'm not trying to -- I'm 3
just trying to make this to be thoughtful and not get 4
carried away. That's my only thrust.
5 MEMBER HALNON: So, Charlie, this is Greg.
6 I understand where you're going with that. And I'm 7
kind of looking at it from a different perspective 8
that the new look at it from this performance based, 9
maybe we'll have a conversation in the future how that 10 could apply based on lessons learned and higher levels 11 of knowledge that we had in the '08s and '09s time 12 frame based on, you know, the contemporary cyber 13 knowledge. Maybe we will have a conversation on how 14 this could apply to the large light-waters in the 15 future as opposed to just the smaller reactors.
16 Kind of like what Dennis said, I'm kind of 17 just anticipating an interesting conversation on the 18 other end, why couldn't this apply to the bigger 19 plants as opposed to, you know, what you're saying is 20 why can't the bigger plants comply to the advanced 21 reactors? So anyway, that's my thoughts. That's what 22 you sparked.
23 CHAIR BROWN: I don't disagree with you 24 from that thought process. My fundamental thought 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
78 when we do our design reviews, primarily my focus is 1
on the reactor trip, safeguards, ECCS and the 2
functions that they control to ensure the plant is 3
safe. And there's a plethora of other equipment out 4
there that don't really require that level of 5
protection.
6 MEMBER HALNON: Okay. Yes, I agree, and, 7
you know, clearly the balance of plant stuff for the 8
smaller reactors will be in a different neighborhood 9
10 CHAIR BROWN: Absolutely.
11 MEMBER HALNON: -- so.
12 CHAIR BROWN: Absolutely. But yet one of 13 the big concerns in the power supply type world is 14 with operators going to Internet controls of their 15 remote stations, you have just set yourself up for a 16 massive grid shutdown because it's very difficult to 17 protect those assets cyber-wise. I mean it's a 18 continuing threat. And you're always fighting 19 yesterday's battle.
20 MEMBER HALNON: Well, and this brings us 21 back to the potential discussion of autonomous 22 operation. You're talking about wanting to be fearful 23 of something that could happen bad is no one would 24 even be watching it.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
79 CHAIR BROWN: Yes. Yes, we mentioned that 1
before. It's another one of my big concerns.
2 MEMBER HALNON: Yes.
3 CHAIR BROWN: All right. I'm sorry I just 4
-- you can tell that this stuff is dear to my heart 5
so.
6 (Simultaneous speaking.)
7 MEMBER KIRCHNER: I think, Charlie, this 8
conversation sooner or later is going to have to 9
include a conversation about operators and where 10 they're located and how they're licensed, et cetera, 11 et cetera, and physical security.
12 I kind of view it as kind of like a Venn 13 diagram of sorts because for those micro reactor 14 concepts and other concepts that aren't likely to be 15 large megawatt plants, what they are envisioning is 16 entirely different than what we expect of, you know, 17 a large power plant in terms of are there operators or 18 physical security and the cyber security aspects, 19 especially if they're "to be remote operated."
20 MEMBER MARCH-LEUBA: Yes. But let's not 21 relax the requirements for the 3,000-megawatt plant 22 because there is an assumed 1 megawatt plant out there 23 that may want to do something different.
24 We tend to write our regulations to the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
80 lowest common denominator, which is the best plant, 1
which is the 1 megawatt plant. But we still have to 2
deal with the 3,000. That was just a comment.
3 I wanted to bring back to the discussion 4
this line, which is Part 53. In my opinion, the 5
biggest qualitative change in Part 53 is the 6
interaction of Tier 1 and Tier 2 safety goals. Okay.
7 And what we've done is move all of the 8
safety off to Tier 2. And anything that is in Tier 2 9
is non-safety grade. So you guys have the experience 10 of operating reactors with almost all SSCs are safety 11 grade, and you have to protect them.
12 When you look at that 53 license plant, 13 they may not have a single safety grade component, not 14 one, because of the way they have it under Tier 1 and 15 Tier 2. And you need to think about it because I 16 don't like it. I'll put it on the record. You guys 17 please do think about --
18 MEMBER PETTI: Jose, I really wish you'd 19 stop interpreting and reading into 53 things that 20 aren't there. I've seen a ton of plants. They all 21 have safety systems. Okay? To say that they would 22 have no safety systems is an exaggeration and doesn't 23 affect the operation.
24 MEMBER MARCH-LEUBA: I will go to the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
81 transcript and say where the staff said that. I will 1
find it for you.
2 MEMBER MARCH-LEUBA: The staff said some 3
of this is more than one --
4 MEMBER PETTI: The staff is recommending 5
getting rid of the concept of Tier 2, which means that 6
all of the requirements would just be there so.
7 MEMBER MARCH-LEUBA: And I don't know.
8 And we are, too, ACRS put it on the record.
9 MEMBER PETTI: Yes. So that's just not --
10 MEMBER MARCH-LEUBA: So right now it is 11 there. Okay? So if you are writing a cyber security 12 policy for Part 53, you have to assume, today, that 13 there's a Tier 1 and a Tier 2. And a very small low 14 power reactor with very good fuel cannot possibly 15 produce 25 rem at the boundary. Under 4, you don't 16 need anything for safety grade. And they told us that 17 yesterday.
18 MEMBER KIRCHNER: So you're throwing that 19 position, Jose, that I don't think is a likely outcome 20 from a staff review of an application.
21 MEMBER MARCH-LEUBA: They told us that 22 yesterday.
23 MEMBER KIRCHNER: Remember, you still have 24 to, as a previous presenter today said, you have to 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
82 shut down the reactor and maintain it in a shutdown 1
condition and you have to protect efficient product --
2 MEMBER MARCH-LEUBA: Nope, nope, nope, 3
nope, nope, nope, nope. Control reactivity is Tier 2.
4 MEMBER KIRCHNER: No. It is not.
5 MEMBER MARCH-LEUBA: It is. Look at it.
6 Check it out. Tier 1, and we'll discuss it in Part 7
- 53. I apologize to these other guys. Tier 1 is only 8
control of heat ventilation (phonetic).
9 CHAIR BROWN: That's okay. Can we resolve 10 that and get on with this particular discussion? I 11 think we ought to get that one cleared up so we all 12 understand that, Jose and Walt so and Dave. So I 13 agree. We ought to --
14 MEMBER PETTI: Let's table that and keep 15 going, Charlie.
16 CHAIR BROWN: Yes. That's what I'm 17 planning on doing that right now. Okay. Go ahead.
18 I'm sorry about that.
19 MR. JAUNTIRANS: No worries. Thank you.
20 I think it's a good valuable discussion for everybody 21 to hear. Thank you.
22 So with the flexibility that we've 23 previously discussed, in lieu of requiring advanced 24 reactor licensees to protect against cyber-attacks up 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
83 to and including the design basis threat as required 1
for power reactors in 10 CFR 73.54, the proposed new 2
section implements a graded approach at the cyber 3
security program and security controls implementation 4
level.
5 A greater approach based on consequences 6
is intended to account for the differing risk levels 7
within advanced reactor technologies. Specifically, 8
the new section requires licensees to demonstrate 9
reasonable assurance of cyber security protection 10 against cyber-attacks only if such attacks would lead 11 to a consequence as defined in the proposed rule.
12 The proposed new section leverages the 13 operating experience from power reactors. The 14 proposed regulations for fuel cycle facilities as well 15 as 10 CFR 73.54 framework as it contains some of the 16 basic requirements needed for cyber security 17 regardless of reactor type.
18 It's also informed by the NRC's Office of 19 Nuclear Security's Incident Response Interagency 20 interface efforts associated with cyber security.
21 Differences between the 10 CFR 73.54 22 requirements and those discussed in the proposed new 23 section are primarily based on the implementation of 24 the graded approach used in the Part 53 construct to 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
84 accommodate the wide range of technologies to be 1
assessed by the NRC.
2 The proposed new section currently 3
includes two consequences which are related to 4
advanced reactors physical security requirements in 5
Part 53.
6 The first consequence seen here on the 7
left side, the second box from the top, deals with the 8
topic of radiological sabotage. Specifically, it 9
deals with the scenario where the cyber-attack leads 10 to offsite radiation hazards that would endanger 11 public health and safety.
12 CHAIR BROWN: We lost you or you're muted.
13 MR. JAUNTIRANS: Yes. Somebody muted me 14 there. Okay.
15 CHAIR BROWN: Yes.
16 MR. JAUNTIRANS: All right, anyway. So it 17 specifically deals with -- it's the consequence 18 exceeding specific dose value criteria from Part 53.
19 At the current time, it's tied to Part 53 first tier 20 safety and criteria.
21 The second one, which would be the bottom 22 box on the left side, that consequence deals with the 23 topic of theft or diversion. Specifically, it deals 24 with the scenario where the cyber-attack adversely 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
85 impacts digital assets used by the licensee for 1
implementing the physical security requirements for 2
special nuclear
- material, source material and 3
byproduct material in Part 53. This is tied to the 4
Part 53 physical security rules for advanced reactors.
5 And that is linked with Part 37.
6 As a part of the Part 53 rulemaking 7
efforts, the staff is seeking formal feedback from all 8
stakeholders on whether any additional consequences 9
should be included in the new section. And as of 10 present, we have not received any feedback in that 11 regard.
12 The primary feedback we've received has 13 been about the Tier 1 safety criteria. I don't have 14 that at this present time. But that's the most 15 feedback we've gotten at this time.
16 The remainder of the rule resembles 10 CFR 17 73.54 in many ways while implementing the graded 18 approach as previously discussed. And are there any 19 more questions? Okay. I'd like to turn it back to 20 Jim for discussion on the PRM.
21 MR. BEARDSLEY: Thank you, Juris. In 22 2019, when the staff briefed the Subcommittee -- there 23 we go -- we noted the fact that NEI had submitted a 24 Petition for Rulemaking to change the Cyber Security 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
86 Rule in 2014.
1 The staff has reviewed that rule over the 2
course of the last few years. And in 2019, a decision 3
was made to hold off on a decision until the staff had 4
completed the efforts associated with our internal 5
self-assessment and the action plan that we discussed 6
earlier in this presentation.
7 The staff has since made a recommendation 8
to the Commission and the Commission has yet to 9
complete their decision-making on the petition. And 10 we expect to hear from the Commission sometime this 11 month or early next month. Any questions about the 12 Petition for Rulemaking?
13 CHAIR BROWN: Yes, Jim. Is that the 73.54 14 rule or --
15 MR. BEARDSLEY: It is. It was a petition 16
-- PRM 73.18 dealt with the content and construct of 17 73.54.
18 CHAIR BROWN: We haven't been involved in 19 that, at least I haven't been at that point. Can you 20 give us a little bit of the thrust of the NEI? I know 21 we've got the Petition here, but I didn't get to that 22 part. I was looking at the other parts.
23 MR. BEARDSLEY: Sure. Big picture, NEI's 24 point was that the industry had overincluded digital 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
87 assets in their cyber security programs, which could 1
potentially distract them from focusing on those 2
assets with a higher risk or a higher significance.
3 And they believe that the rule should be rewritten to 4
reduce the overall scope.
5 The staff reviewed that in light of the 6
fact that it is a performance-based rule. The staff 7
has, you know, done evaluations and in particular, as 8
a result of the action plan, has been working with 9
industry to try and look hard at the decision-making 10 process on what digital assets need to be included in 11 the program and those that have not. And those are 12 the areas we talked about earlier in our presentation.
13 MEMBER KIRCHNER: Jim --
14 CHAIR BROWN: Have you provided a 15 recommendation -- just a minute, Walt. Have you 16 provided a recommendation to the Commission or --
17 MR. BEARDSLEY: The Petition Review Board 18 did provide a recommendation to the Commission. And 19 the Commission has yet to respond to the staff.
20 CHAIR BROWN: Was the staff involved in 21 that? I mean, like --
22 MR. BEARDSLEY: The Petition Review Board 23 was made up of staff, yes.
24 CHAIR BROWN: Okay. Folks that were 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
88 familiar with the cyber security requirements in 5.71 1
and what fell out of the rule in terms of actual 2
execution?
3 MR. BEARDSLEY: Right. As with all 4
petitions, you have a multidisciplinary team that 5
makes up the overall evaluation.
6 CHAIR BROWN: All right. Thank you. Yes, 7
Walt, I interrupted somebody.
8 MEMBER KIRCHNER: No. It was along the 9
same lines, Charlie. I was just thinking 2014 is a 10 long time ago. Both the industry and the staff have 11 come a long way, the staff, in implementing its 12 program plan. Does the industry still feel like the 13 rulemaking is necessary given where we are in 2021?
14 MR. BEARDSLEY: I couldn't say. You would 15 have to ask industry.
16 CHAIR BROWN: Okay. Any other questions 17 on this subject? All right. Why don't we roll on, 18 Jim.
19 MR. BEARDSLEY: Absolutely. We talked 20 about Regulatory Guide 5.71 a number of times over the 21 course of the brief. Just to point out, the Reg Guide 22 was published in 2010. In 2016, the staff initiated 23 an update to the Reg Guide.
24 And in 2018 and 2019, it was recognized 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
89 that the staff and industry, through our assessment 1
and as a result of inspection lessons learned, had 2
found a number of areas that probably should be 3
included in the draft guide or the Revision 1 to the 4
Reg Guide. So we put that draft on hold in 2018 and 5
picked it up again just this past year in 2021.
6 The staff has completed the update of the 7
Reg Guide based on the information they had to date.
8 And that update included the implementation of the 9
industry white papers, which we talked about earlier 10 in this presentation, clarification on insights gained 11 from operating experience in both national and 12 international cyber security standards, updated text 13 to discuss risk-informed cyber security evaluation 14 methodologies and updated texts based on the 15 resolution of public comments that were received when 16 the draft guide was last released publicly in 2018.
17 The staff intends to release this version 18 of the draft guide for public comment in the near 19 future and will hold multiple public meetings 20 associated with that public review process.
21 The current schedule has the Revision 1 to 22 Reg Guide 5.71 being published sometime in the spring 23 of 2022. Any questions about the revision to the Reg 24 Guide 5.71?
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
90 MEMBER HALNON: Jim, this is Greg Halnon.
1 I realize that it looks like a lot of effort for 2
revising a Reg Guide that one licensee is using for 3
one plant that's not even operating yet. What is the 4
industry looking at?
5 Are they looking at helping you get this 6
to where it needs to be so we can use 5.71 7
consistently across the country and satisfy our 8
earlier concerns about so many documents with so many 9
different definitions and whatnot or is this going to 10 just be a continuing saga of just one licensee using 11 it?
12 MR. BEARDSLEY: So based on the feedback 13 I received from industry, I don't believe that the 14 licensees are going to change their Cyber Security 15 Plans because the draft guide isn't changing the 16 template for the Cyber Security Plan significantly.
17 Our goal with updating the Reg Guide is to 18 incorporate the lessons that we've learned over the 19 years and really look hard at both national and 20 international standards and make that information 21 available to future licensees.
22 So the Rev 1 to Reg Guide 5.71 is arguably 23 tailored towards the information for future licensees.
24 MEMBER HALNON: So future Part 50 and 52, 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
91 right.
1 MR. BEARDSLEY: Future Part 50 and 52, 2
right. We are engaged in a parallel Regulatory Guide 3
development as part of Part 53, which will also 4
include a significant amount of the information we've 5
included in Reg Guide 5.71.
6 MEMBER HALNON: Okay. I think my concern 7
is that there's just a lot of parallel efforts going 8
forward and a lot of parallel documents. You know, 9
there are multiply different licensees using them in 10 different ways.
11 I mean, ultimately, they're all getting to 12 where you want to be. I get that. But the concern is 13 that it's a lot of effort when there's, I mean, both 14 on your side and the industry side to get this 15 document updated.
16 And I agree it's for future licensees.
17 But I'm not sure how many more there's going to be 18 under Part 50 and 52 that it would make all this 19 effort worth it.
20 So anyway, I got to go back and look at 21 the whole plethora of documents again and just see how 22 it all fits together. So thanks. And I'll hold my 23 comments until later.
24 MR. BEARDSLEY: Any other questions on our 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
92 Regulatory Guide 5.71 update?
1 CHAIR BROWN: Yes.
2 MR. BEARDSLEY: Okay.
3 CHAIR BROWN: I don't want to do a 4
detailed -- I'm not trying to do a detailed -- I'm 5
always curious about 5.71 so I did take some time and 6
compare the original revision from 2010 to the new 7
update.
8 The new update has some good stuff in it, 9
okay, some references to unidirectional, hardware 10 based, non-software controlled, et cetera, et cetera.
11 Good lessons learned from all the design applications 12 we've gone through.
13 It also has some stuff that's not so good.
14 And you probably knew I was going to say that 15 somewhere. For instance, the old one, and I'm not 16 going to go through a lot. It's just an example. The 17 old one prohibited bidirectional communications or any 18 communications from lower levels of security to the 19 more secure levels, in other words from Level 2 to 20 Level 3 or 4.
21 MR. BEARDSLEY: Mm-hmm.
22 CHAIR BROWN: And they do it on a denial, 23 permit by exception basis. It's just all kinds of 24 weasel words whereas before you weren't able to do 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
93 that with bidirectional or even unidirectional from 1
the lower safety to the higher safety systems. That's 2
not good.
3 But like I said, is that countered by some 4
of the other good stuff? I don't know what else is in 5
there. It would certainly behoove to get us and you 6
all on the same page before you go out with this.
7 That's all. I don't know what your overall plans are 8
but --
9 MR. BEARDSLEY: Sure.
10 CHAIR BROWN: -- we really probably ought 11 to -- and it's also about -- let me see. It's at 12 least 55 pages or 45 pages longer than it used to be.
13 So I'm worried about complexity being added into it 14 now as well. Does that mean more requirements or 15 what? So what you --
16 MR. BEARDSLEY: So the section of the 17 regulatory guide that details the licensee's cyber 18 security plan has not changed very much at all. There 19 are a few changes that we approved for industry over 20 time that are incorporated. So the majority of the 21 new information is program level guidance on sort of 22 how you would look at a program.
23 And also the initial Reg Guide was based 24 on the National Institute of Standards, cyber security 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
94 standards, at the time in 2009, 2008. Those standards 1
have changed significantly over the last 10 years.
2 And so we've looked at those and tried to incorporate 3
the lessons from those standards as well in addition 4
to look at some international standards.
5 So there's a lot of information there, I 6
agree. And it is a significant change. But there is 7
good information in there for users.
8 CHAIR BROWN: I saw some. I told you all 9
right up front, I saw some stuff that was much better 10 than the previous words. But I'm also -- every time 11 somebody says we've updated the new standards, and the 12 new standards are more what I would call less safe, 13 like communicating from low level to high level, high 14 security level stuff, that was totally prohibited and 15 was looked at, you wouldn't do that before and now 16 it's allowed, fundamentally allowed, although you say 17 they're going to have to jump through hoops to do it.
18 I don't know what else is in there like 19 that. That's why I think a little bit of another 20 eyeball on it before we get all enhanced with the 21 industry and public standpoint would probably be 22 useful. We need to look at that just to give you a 23 heads-up.
24 MR. BEARDSLEY: Got it.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
95 CHAIR BROWN: Go ahead. You can move on 1
unless --
2 MR. BEARDSLEY: Okay.
3 CHAIR BROWN: -- somebody else has 4
something.
5 MR. BEARDSLEY: Okay. The NSIR staff over 6
the last year or so have engaged with our colleagues 7
in the Office of Research on a number of research 8
projects to look at different aspects of cyber 9
security, both current and future.
10 This list shows the high level four areas 11 that we currently have cyber security research going 12 on and our colleagues in research will be briefing, I 13 believe, the full committee tomorrow. So if there's 14 any questions from a research point of view, you'll 15 have an opportunity to ask then.
16 Just a quick look at what these are, 17 attack surfaces for cyber security monitoring and 18 oversight. One of the things that we've looked as 19 we've inspected industry over the years is trying to 20 understand and help industry understand what are the, 21 you know, attack surfaces or the ways that an 22 adversary could attack them?
23 And the staff is engaged with research on 24 a project to help us define what are a clear set of 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
96 attack surfaces that we can use as a model when we're 1
evaluating the licensees and the licensees' programs?
2 The staff is looking at developing a 3
replica of licensees' networks that we could use for 4
research to look to evaluate different techniques that 5
the industry has implemented and also for training for 6
the staff themselves.
7 MEMBER BLEY: Can you explain that one a 8
little bit to me?
9 MR. BEARDSLEY: Sure. So the licensees 10 have multiple different methodologies for developing 11 and implementing their networks. And what the staff 12 would like to do is put together a network training 13 tool that would allow staff to go evaluate those 14 implementations and better understand them.
15 MEMBER BLEY: So this would be like a 16 software model of their network or something to 17 experiment with?
18 MR. BEARDSLEY: It would be a software 19 model that we could configure to be similar to 20 different licensee networks and then use those for 21 evaluation.
22 MEMBER BLEY: Interesting. Okay. Thanks.
23 MR. BEARDSLEY: And this is at the --
24 we're at very early stages. So we're just going to 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
97 investigate the potential for it. We're not ready to 1
move forward with any kind of construct yet. But our 2
colleagues in research are helping us sort of scope 3
out what it would take to go do that.
4 MEMBER BLEY: So this is kind of like the 5
digital twin stuff we've heard about from research?
6 MR. BEARDSLEY: It could theoretically be 7
that although we are tapped in with research into the 8
digital twins effort as well.
9 MEMBER BLEY: Okay. Thanks.
10 CHAIR BROWN: Jim?
11 MR. BEARDSLEY: Yes.
12 CHAIR BROWN: I want to phrase this -- get 13 this stated clearly. I'm trying to remember if we've 14 seen this or not. It seems to me we've seen this 15 somewhere, and I'm not remembering where.
16 But networks, a couple configurations of 17 networks, you have a bunch of systems out in a plant.
18 Data goes into the network. It gets distributed to a 19 bunch of control systems, emergency support center, 20 technical support center, et cetera, et cetera. And 21 it's distributed via just like a big server if you 22 want to call it that, a distributor.
23 MR. BEARDSLEY: Mm-hmm.
24 CHAIR BROWN: But you can also embed 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
98 control software in a network so you don't end up 1
building control software for the functions like a 2
motor control or a reactivity control system. And 3
then you go segregate or partition the network so that 4
you've got software barriers between them.
5 MR. BEARDSLEY: Mm-hmm.
6 CHAIR BROWN: I'm not sure I'm saying that 7
right. Have you even given that any thought? I'm 8
trying to remember if anybody -- I thought I 9
remembered somebody doing something like that, but I 10 don't think it was in the reactor trip circuit. It 11 wasn't in the safety system area. It was in some 12 other area.
13 Have you all seen any of that at all? It 14 seems to me that's a dangerous thing to get into when 15 you start burying stuff, control functions for various 16 other, maybe, balance of plant systems or whatever 17 into a network instead of a unique control system for 18 that component.
19 MR. BEARDSLEY: Yes. I can't speak to the 20 specifics on what we've seen. I mean, we've done 58 21 inspections. But I will say that the greater majority 22 of the plants in the current operating fleet do not 23 have high functioning digital systems in their safety 24 systems.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
99 They are evaluating digital I&C upgrades.
1 And that's something that the staff is focused on, and 2
we're very involved in the evaluation of.
3 They have implemented complex digital 4
instrumentation and control in the balance of plant.
5 So there are differences there. And the licensees 6
have used various different tools to, you know, 7
partition their networks to try and keep different 8
levels of protection in different areas. But, again, 9
there's many, many different configurations out there.
10 I mean, virtually every plant is different.
11 CHAIR BROWN: Okay. Thanks.
12 MR. BEARDSLEY: We have a whole other 13 slide to talk about wireless. So I'm not going to get 14 into that on this slide, but we are engaged with 15 research looking at different wireless technologies 16 and their impact on the plant systems. Any questions 17 about our interactions with research?
18 All right. Now, I'm going to turn it over 19 to Mario Fernandez to talk about wireless.
20 MR. FERNANDEZ: Again, this is Mario 21 Fernandez, and I'm on Slide 18. As Jim mentioned, 22 there was a public meeting that was held with the 23 industry on February 20, 2020.
24 The industry at this time discussed 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
100 opportunities for future implementations of wireless 1
technologies, the benefits of implementing wireless 2
technologies, implementation considerations related to 3
cyber security and the next steps.
4 At this time, the CSB staff is working 5
with the Office of Research, as Jim mentioned, and 6
also working with the DOE labs under the Light-Water 7
Reactor Sustainability Program to evaluate potential 8
industry implementation so we can better understand 9
all the possible uses of these technologies to ensure 10 the licensee is complying with its Cyber Security 11 Plan.
12 Specifically, the NRC concern is that we 13 want to have a thorough understanding of how these 14 technologies will be used if the wireless devices or 15 the wireless technologies that the licensees are 16 intending to implement will be critical digital 17 assets. And currently, CDAs are not affected by the 18 use of wireless technologies.
19 And now I'll turn it back over to Jim.
20 MEMBER REMPE: Before you do that, I had 21 a question. Could you go into some more detail about 22 specific examples that are being considered? This is 23 just a little too high a level for me.
24 I'm aware of some examples that they're 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
101 doing in Japan at Fukushima that I think might be of 1
interest to U.S.
industry for operations and 2
maintenance. And, again, if the plant is shut down 3
where it's applied so you don't adversely affect cyber 4
security. But what kind of examples are being 5
discussed?
6 MR. FERNANDEZ: That's a very good 7
question, Member Rempe. The industry, for instance, 8
have mentioned in use of wireless technologies to 9
obtain data for different devices in the field.
10 This data will be collected at some 11 central point. And instead of running wires, the 12 licensee's intend to use wireless technologies to 13 collect this data for analysis or to be able to 14 perform other functions.
15 There have also been some preliminary 16 information where the use of drones can be used for 17 specific functions to perform some kind of maintenance 18 inspections or to perform maybe some security 19 functions. Because we don't have enough information 20 yet and the industry only has a present desire to use 21 these technologies, we don't have a lot information.
22 And that's the reason why we are engaging 23 with the Office of Research so we can understand how 24 these technologies can be used, what are the possible 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
102 vulnerabilities that can be introduced into the 1
environment that this technology will be used. We 2
want to have a full understanding and then we want to 3
assess and evaluate implementation to ensure the 4
licensees are meeting the requirements in the Cyber 5
Security Plan. Does that answer your question, Member 6
Rempe?
7 MEMBER REMPE: Yes, it does with respect 8
to the condition between the plant components I'm 9
aware of. I have not heard much discussion yet about 10 the use of drones, which is of interest and how that 11 could be done. Again, it's being used quite 12 effectively in Japan. And so I'm interested in 13 hearing more about that.
14 MR. FERNANDEZ: Yes, ma'am. So are we.
15 MEMBER REMPE: Tomorrow, during our 16 research discussion, do you expect that they will be 17 able to provide more details or it's just too 18 preliminary? There's just not enough information 19 coming from industry yet?
20 MR. FERNANDEZ: Ma'am, I don't know what 21 the Office of Research is going to present. But I 22 believe that it is too preliminary to even go beyond 23 what we are discussing right now.
24 I'm just providing some examples where the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
103 licensees have expressed were the areas that they can 1
use these kind of technologies for a lot of different 2
reasons. Obviously, some of them are economical 3
reasons. Some of the other reasons are to automate or 4
try to implement a more effective and efficient way of 5
doing business at their sites.
6 MEMBER MARCH-LEUBA: Hey, Mario, this is 7
Jose March-Leuba. On those examples you've given, I 8
assume you will use wireless for one directional data 9
out not for control in, correct? Is that what you 10 envision?
11 MR. FERNANDEZ: That's a very good 12 question, sir. We don't know yet. We don't know how 13 this technology will be used. That's the reason why 14 we want to learn how this technology will be 15 implemented, how the licensee intends to implement 16 those technologies. In order for us to provide an 17 answer exactly to the question, that's exactly the 18 question we're asking ourselves, you know, how this 19 would affect your --
20 (Simultaneous speaking.)
21 MEMBER MARCH-LEUBA: I'm sure you know 22 more about this than I do but the way I would 23 implement it would be establish a VPN tunnel in the 24 sensor on the receiver. All right? And I would 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
104 encrypt all the communications and ensure that both 1
sides are authenticated.
2 However, I did a search on the NIST 3
database of vulnerabilities this morning again, and I 4
found 39 VPN vulnerabilities reported this year. It 5
turns out to be one VPN vulnerability reported every 6
three days.
7 And then I extended the search for three 8
years, which is an easy way to do it. And it turns 9
out to be one VPN vulnerability every three days. So 10 just because somebody tells you I have a VPN between 11 my sensor and my receiver, Jesus Christ, every three 12 days there is a VPN, somebody messed up in their 13 parameter on VPN so. But please do be careful. Thank 14 you.
15 MR. FERNANDEZ: I share your concern.
16 That's our concern, too. And I'm aware that recently 17 there have been a lot of vulnerabilities reported 18 regarding the use of VPNs.
19 And this is exactly why we're engaging 20 with the Office of Research because we want to 21 thoroughly understand this technology to ensure that 22 when licensees implement this technology or they 23 desire to do so we ensure that they provide the high 24 assurance that this technology is not going to impact 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
105 the current cyber security posture or the CDAs that 1
they're already protecting.
2 MEMBER MARCH-LEUBA: Just for fun, Google 3
NIST vulnerability database. Go in there, click on 4
search and you can type key words. It's scary.
5 MR. FERNANDEZ: Absolutely, sir.
6 MEMBER MARCH-LEUBA: It's scary. There 7
are at least 5,000 this year.
8 MR. FERNANDEZ: Yes, sir. I had looked a 9
little bit into it, and you're right. If you go to 10 the NIST website, you're absolutely correct. VPNs 11 that have vulnerabilities all will be listed there 12 currently where they're having the NIST database.
13 That's a very good source of information 14 for vulnerability assessments.
15 CHAIR BROWN: It got it. Jose, there's 16 other ways to do that. You can also send data to a 17 wireless device through a data diode and then it can 18 get transmitted as long as you disconnect at that 19 point.
20 So you can get the data out if you want.
21 It's cumbersome, but you can do it by isolating. And 22 that way you don't allow something -- and you don't 23 have a way for --
24 MEMBER MARCH-LEUBA:
I understand, 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
106 Charlie. I want to make a joke. When you are a 1
hammer, everything looks like a nail. And your nail 2
is your voice. And it's a very good one. It's a very 3
good. It's gets you the 99 percent.
4 CHAIR BROWN: Yes. I'm a nail person.
5 You're exactly right, along with a hammer. Joy, one 6
other thing when you talked about with the plant 7
shutdown, wireless shouldn't be a concern. The 8
wireless can come in and plant malware into your 9
systems if you start letting it in even with the plant 10 shutdown then it gets you after you're up.
11 MEMBER REMPE: Yes. I'm talking about the 12 Fukushima plant being shut down. But, yes, I get what 13 you're saying. But it's just something that if 14 there's a way that we could adapt it in a safe way, it 15 would be of interest, I think.
16 CHAIR BROWN: It hasn't stopped me yet.
17 MEMBER REMPE: Anyway, it's just something 18 to think about.
19 MR. FERNANDEZ: Absolutely.
20 MEMBER REMPE: And I would be interested 21 in how its progressing.
22 MR. FERNANDEZ: Absolutely. We are very 23 interested, too. That's why we are engaging with the 24 Office of Research and the DOE laboratory so we can 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
107 absorb, so to speak, all of this information and be 1
able to assess and evaluate and keep up with the 2
industries if they decide to go down this path.
3 CHAIR BROWN: Yes. I'm going to interrupt 4
here for a second. We've only got two slides left 5
other than the question mark slide. We were going to 6
have a break. Does anybody have a vote? Should we 7
take a 10 minute break right now, 15 minute break 8
rather and come back?
9 MR. FERNANDEZ: I'm okay to continue and 10 I think Brian is ready.
11 CHAIR BROWN: Members, do you all have any 12 voice?
13 MEMBER MARCH-LEUBA: I vote we continue.
14 CHAIR BROWN: Okay. All right. Go ahead.
15 MR. FERNANDEZ: Thank you, members. Now 16 I'm going to turn it over to Brian Yip, who is going 17 to be talking about the cyber security roadmap. Thank 18 you.
19 MR. YIP: Thanks, Mario. This is Brian 20 Yip, again. This is a real brief update. We were 21 requested to give an update on the cyber security 22 roadmap.
23 For background, the initial roadmap paper, 24 this is SECY paper that the staff put up in 2012 to 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
108 provide the Commission with an update on the staff's 1
plans for implementing the cyber program early on.
2 We then provided a subsequent SECY paper 3
to the Commission in 2017 with an update to the cyber 4
roadmap. And this gave the Commission some 5
information on what the staff's plans were with regard 6
to the full implementation inspections that Jim 7
mentioned earlier in our briefing.
8 And it also gave the Commission some 9
additional information about the evaluation and 10 guidance that NRC had issue for other classes of 11 licensees. An example would be the staff put out a 12 best practices guide for non-power reactor cyber 13 security.
14 So now at this point, we're considering if 15 we were to provide an update to the cyber roadmap what 16 the future format of it should be. We're really at 17 the initial stages at this point. We're taking into 18 consideration what areas of the cyber program we need 19 to inform the Commission of and also any areas where 20 we think that we may need Commission direction. And 21 we're going to use some of those indicators to help us 22 determine what the appropriate vehicle is to 23 communicate that information.
24 If we did update the cyber roadmap, we 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
109 could do another SECY paper as we've done in the past.
1 We may do a Commissioner assistance note or a 2
Commissioner assistance briefing. However at this 3
point, we haven't made any decisions yet in that 4
regard. So we don't have much more that we can 5
provide you on the cyber roadmap other than that at 6
this time. And if there are no questions on that, I 7
can turn it back to Jim.
8 CHAIR BROWN: Okay. Go on, Jim. Thank 9
you.
10 MR.
BEARDSLEY:
Okay.
Since the 11 Commission approved the Cyber Security Rule in 2009, 12 the staff and industry have made significant strides 13 in program implementation. The industry has completed 14 their two phase program implementation, and the staff 15 have conducted over 170 cyber security inspections 16 over the last eight years.
17 Based on those inspections, the staff had 18 found with reasonable assurance that industry has 19 implemented their cyber security programs.
20 The staff have received considerable 21 stakeholder feedback on the cyber security oversight 22 program through public meetings and our own self-23 assessment combined with inspection lessons and an 24 audit of the inspection program by the NRC's Office of 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
110 Inspector General. That feedback is being used to 1
further develop the NRC's graded approach to cyber 2
security oversight.
3 In addition, those insights, combined with 4
lessons from the interagency and international 5
partners, are being used to develop our approach to 6
cyber security for future licensees.
7 This completes our remarks, subject to 8
your questions.
9 CHAIR BROWN: Okay. Jim, are we done?
10 MR. BEARDSLEY: We are done.
11 CHAIR BROWN: Okay. Question mark page.
12 Scott or Tom, is there an issue with the public line 13 or what? Are we good?
14 MR. MOORE: Tom, this is Scott. I thought 15 the public line had been muted. So should we go to 16 comments after the break?
17 MR. DASHIELL: Yes, Scott. That would be 18 preferable. Can you hear me now?
19 MR. MOORE: Yes.
20 MR. DASHIELL: I just unmuted it using 21 star 6.
22 CHAIR BROWN: Okay. So you'd like to take 23 a 15 minute break and then we'll go do public comments 24 and then a round around the table.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
111 MR. MOORE: Yes, Chairman, that would be 1
best.
2 CHAIR BROWN: Okay. We'll come back here 3
at 4:32, make it 4:35 Eastern Standard Time and then 4
we'll resume with the public comments and then any 5
other final comments. Okay? We are recessed until 6
that time.
7 (Whereupon, the above-entitled matter went 8
off the record at 4:18 p.m. and resumed at 4:36 p.m.)
9 CHAIR BROWN: Okay. It's 4:35. And we 10 will resume the meeting. At this point, just to 11 confirm, Tom, is the public line open right now?
12 MR. DASHIELL: Yes, Charlie, it is.
13 CHAIR BROWN: Okay. Is there anybody on 14 the public line that would like to make any comments 15 relative to this meeting? Okay. Second question, is 16 there anybody on the public line, again, that would 17 like to make any comments? Okay. Hearing none, 18 Thomas?
19 MR. DASHIELL: The public line is muted.
20 CHAIR BROWN: Okay. Thank you. At this 21 point, we will go ahead and go around. Do any of the 22 members have any additional comments that they would 23 like to provide or ask, I should say?
24 MEMBER PETTI: Charlie, I have one.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
112 CHAIR BROWN: Yes, go ahead.
1 MEMBER PETTI: And, again, I may just be 2
off-base. Before I got the documents, particularly in 3
light of Part 53, I mean, I understand this is all 4
about a process of identifying critical assets that 5
need protection. I'm not talking about that.
6 What I was looking for was guidance that 7
an advanced reactor designer would need to help them 8
in the designs of some of their systems.
9 You know, I saw the data diode. It's in 10 there. But I didn't see a concise list of, you know, 11 these are sort of either the design philosophies or 12 actual, you know, for lack of a better term, 13 requirements or guidance that the NRC finds that this 14 is an acceptable set of approaches that would work but 15 these are those that aren't. Is it just that that's 16 somewhere else?
17 CHAIR BROWN: No.
18 MEMBER PETTI: And you wouldn't expect to 19 find it here?
20 CHAIR BROWN: No, you're right. Normally, 21 we have covered that. This is my interpretation of 22 what we've done, and you've got to look at different 23 systems.
24 We fundamentally look at it from a design 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
113 certification standpoint. And we normally deal with 1
the digital I&C systems, which result in a safety 2
monitoring control safeguards, whatever they may be, 3
whatever configuration they may take.
4 And in the old methodology, there was a 5
Chapter 7, which covered all of the I&C systems. And 6
we normally developed -- or they did develop 7
fundamentally, a functional one line diagram of the 8
basic architecture showing that they meet the 9
frameworks of redundancy, independence, deterministic 10 processing, control of access and diversity and 11 defense in-depth.
12 And there we have looked at the 13 interrelations of the various systems and what type of 14 communications they make and where they go to and 15 where they don't go to. And so that has been covered 16 in great detail as part of the design certification 17 approvals.
18 MEMBER PETTI: So there's nothing new that 19 cyber would add on top of that?
20 CHAIR BROWN: No. Fundamentally, if you 21 look at the words and you go through the document --
22 and it's hard to find, okay -- system by system and 23 you look and see how does it deliver data someplace 24 else?
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
114 For instance, a reactor trip system 1
doesn't have to receive any data. I mean, it just 2
either scrams the plant or it doesn't. So it can send 3
data out, but you want it to do it through a data 4
diode, a type of unidirectional non-software based 5
data circumstance transmission.
6 So you do that, you evaluate that in that 7
context, bidirectional versus unidirectional, as we 8
have talked about several times.
9 So you're right. We don't go -- there's 10 nothing that says this is a hard and fast criteria.
11 We try to use our heads as we're looking at the 12 design.
13 MEMBER PETTI: Okay.
14 CHAIR BROWN: And it gets difficult 15 sometimes needless to say. Are there any other member 16 comments?
17 MEMBER MARCH-LEUBA: Yes. This is Jose.
18 This is going to be a little out of character, but I 19 found this presentation really interesting. It's an 20 interesting topic.
21 Overall, well done. The staff has done a 22 fantastic job trying to do a difficult task. And I 23 want to congratulate you. But stay on top of it 24 because things change daily so don't sleep on your 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
115 laurels. Thank you.
1 CHAIR BROWN: Thank you, Jose. Is there 2
anybody else that would like to say anything?
3 MR. HECHT: This is Myron. If I could 4
just add a comment with respect to the research 5
initiatives that were being planned.
6 CHAIR BROWN: Yes.
7 MR. HECHT: There is a plethora, a huge 8
amount of work, that's been done on industrial 9
controlled cyber security in the ISA standard, ISA 99 10 Series. There's an awful lot of work that's been 11 done.
12 And many of the questions that have been 13 raised here, what if, you know, what if questions, 14 change control, just new vulnerabilities that are 15 coming up. That's all largely addressed in those 16 standards. And I would advise that research be 17 directed to look at those as part of their activities 18 as well.
19 CHAIR BROWN: Okay. Thank you very much, 20 Myron. If you can identify some of those and send 21 them to me, I would like to see them.
22 MR. HECHT: Sure. I can do that.
23 CHAIR BROWN: If you can identify a few of 24 them, thank you. You all --
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
116 MEMBER REMPE: This is Joy, Myron. If you 1
could do this soon, we do have a meeting tomorrow 2
afternoon. And we don't really direct research to do 3
anything. We make recommendations of things they 4
should be considering. But it would very timely if 5
you could get this out to us, you know, before like, 6
I guess, it's what 2 o'clock, the time tomorrow.
7 CHAIR BROWN: If you could get --
8 MR. HECHT: I can give you a short list of 9
the major ones, yes.
10 MEMBER REMPE: It doesn't have to be, 11 yes, everything. But anyway, it would help us out.
12 CHAIR BROWN: Okay. Yes. Send it to 13 Christina, and she can get it to everybody. Okay?
14 MEMBER MARCH-LEUBA: I mean, would it be 15 possible to task Myron to be in the meeting tomorrow 16 because he's the one that knows.
17 MEMBER REMPE: Actually, I just don't 18 think we need that. One, it's kind of late to have to 19 send him all this information. It would just help us 20 if you got us a list. It's not necessary for you to 21 listen to -- we're going to be going through a lot of 22 things that are covered by the Division of 23 Engineering, and it would be a waste of Myron's time 24 to have to sit through the whole meeting for that.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
117 MEMBER MARCH-LEUBA: But, Myron, as an 1
interested member of the public, there is an open line 2
that you can always log in if you are bored on a 3
Friday afternoon. You won't have a voice until at the 4
end of the meeting.
5 MR. HECHT: Thanks.
6 CHAIR BROWN: Any other comments from 7
members?
8 MEMBER KIRCHNER: Yes, Charlie. This is 9
Walt. Thank you to the staff for the presentations.
10 I second Jose's comments on the staff's presentation.
11 If it's possible, could Christina obtain 12 the white paper that Eric Lee presented? I thought 13 the conceptual approach that he described on safety-14 related and important to safety of much interest and 15 relevant to our deliberations on 10 CFR 53. Thank 16 you.
17 MS. ANTONESCU: Yes, Walt, I already sent 18 it to everybody. I'll try to resend it to you, too.
19 MEMBER KIRCHNER: No, don't resend it.
20 I'm just not monitoring my email in real-time. Thank 21 you.
22 MS. ANTONESCU: On, you're welcome.
23 MEMBER SUNSERI: Hey, Charlie, this is 24 Matt.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
118 CHAIR BROWN: Just let me answer Walt. I 1
think it might be in the package that you got for this 2
meeting. If I can -- is it the one on safety, safety-3 related? There were three of them in there, one on 4
balance of plant, one on security and the other white 5
paper, I think, was on safety and safety-related.
6 MEMBER KIRCHNER: Okay. I'll look for it, 7
Charlie. I don't want to create extra work for 8
anyone. Thank you.
9 CHAIR BROWN: I'll try to let you know 10 which ones they are if I can remember that long.
11 Somebody else was speaking up when I interrupted. I 12 apologize for that.
13 MEMBER SUNSERI: Charlie, it's Matt. I 14 was just curious. From a planning perspective, are 15 you planning on recommending that we write a letter on 16 this topic?
17 CHAIR BROWN: No. This is strictly an 18 information briefing right now. Our letter would be 19 on 5.71. That's the key point for us to go do. So 20 that's coming up. That revision process is in 21 process. So that's where I've got my focus right now.
22 MEMBER SUNSERI: Thank you.
23 CHAIR BROWN: Okay. Anybody else? Okay.
24 I'll wrap-up. Michele and Jim, I want to thank you 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
119 all for a very good, well done presentation.
1 For some reason, these presentations on 2
mass subjects always end up with some very excellent 3
discussion with a wide range of viewpoints, which is 4
also very, very useful.
5 So I think your presentation engendered 6
some of that. And that was much appreciated. And 7
your ability to respond on the spot is also much 8
appreciated. It certainly is indicative of the good 9
work that you guys are doing.
10 So I wanted to thank you very much for a 11 very well done presentation and very complete in terms 12 of your ability to describe some details of what you 13 all were doing and what you've seen.
14 So, Jim, Michele, thank you all. Much 15 appreciated. With no more ado, I guess it's time for 16 me to adjourn the meeting and the rest of the members, 17 we'll re-adjourn tomorrow morning sometime. Everybody 18 take care. The meeting is adjourned.
19 (Whereupon, the above-entitled matter went 20 off the record at 4:47 p.m.)
21 22 23 24 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
NRC Cyber Security Oversight Program Update July 2021 Jim Beardsley, Chief Cyber Security Branch (CSB)
Division of Physical and Cyber Security Policy (DPCP)
Office of Nuclear Security and Incident Response (NSIR) james.beardsley@nrc.gov
Key Messages
- The NRC staff is committed to maintaining an efficient, robust cyber security program that can adequately protect against the dynamic cyber threat environment.
- The cyber security inspection program has verified that licensees have adequately implemented the cyber security regulations.
- Lessons learned from the implementation of the cyber security oversight program are being used to implement efficiencies and enhancements to the cyber security program and update RG 5.71.
- Experience gained with the operating reactors oversight provide the NRC staff with insights for implementing appropriate levels of cyber security for other licensees including SMRs and other technologies.
7/22/2021 2
3 Power Reactor Cyber Security Background RG 5.71 & NEI 08-09 Implementation Guidance Acceptable for Use 2010 2009 2011 2013 2014 2015 2016 2017 Industrys Interim Implementation Schedule MS 1 - 7 Inspections All NPPs Cyber Security Plans &
Implementation Schedules Approved NRC & Industry agree on MS 1 - 7 Implementation Schedule 2012 NRC Cyber Security Notification Rule 10 CFR 73.77 7/22/2021 Full Implementation Licensee Interim Implementation Completed
- Interim Implementation included seven milestones
- 2013-2015 Interim Implementation inspections at all 63 operating NPPs
- Identified challenges with guidance and inspections processes
- 2016-2017 Improved industry guidance, full oversight program and improved inspector training implemented.
10 CFR 73.54 RG-Regulatory Guide NEI - Nuclear Energy Institute CFR - Code of Federal Regulation
4 1.
Cyber Security Assessment Team 2.
Identify Critical Digital Assets (CDAs) 3.
Implement Defensive Architecture 4.
Apply Security Controls RG 5.71 Cyber Security Program Implementation 7/22/2021 RG-Regulatory Guide NEI - Nuclear Energy Institute
Generic Defensive Architecture 7/22/2021 5
Internet Corporate Network Site Network Security / Safety Systems One-way Deterministic Device
6 Power Reactor Cyber Security Background RG 5.71 & NEI 08-09 Implementation Guidance Acceptable for Use 2010 2009 2011 2013 2014 2015 2016 2017 Industrys Interim Implementation Schedule MS 1 - 7 Inspections All NPPs Cyber Security Plans &
Implementation Schedules Approved NRC & Industry agree on MS 1 - 7 Implementation Schedule 2012 NRC Cyber Security Notification Rule 10 CFR 73.77 7/22/2021 2018 2019 2020/
2021 Full Implementation Full Implementation Inspections at all Licensee Sites Licensee Interim Implementation Completed
- Full Implementation Inspections 2017-2021.
- 2017-2021 Full Implementation inspections at all 58 operating NPPs.
- Inspection identified some findings of very low safety significance.
- In general, industry has demonstrated program effectiveness.
10 CFR 73.54 RG-Regulatory Guide NEI - Nuclear Energy Institute CFR - Code of Federal Regulation
7 Future of Power Reactor Cyber Oversight RG 5.71 & NEI 08-09 Implementation Guidance Acceptable for Use 2010 2009 2011 2013 2014 2015 2016 Future Inspection Program Industrys Interim Implementation Schedule MS 1 - 7 Inspections All NPPs Cyber Security Plans &
Implementation Schedules Approved NRC & Industry agree on MS 1 - 7 Implementation Schedule 2012 NRC Cyber Security Notification Rule 10 CFR 73.77 7/22/2021 2018 2019 2020/21 Power Reactor Cyber Security Self-Assessment Full Implementation Full Implementation Inspections at all Licensee Sites Licensee Interim Implementation Completed 2017
- Cyber Security Program Assessment (ML19175A210)
Independent Assessment Team Licensees and other External Stakeholders (including FERC)
Many actionable comments received
- Staff developed an Action Plan to address the challenges identified during the assessment Phased approach Critical digital asset determination initial focus areas Focus on defense-in-depth 10 CFR 73.54 RG-Regulatory Guide NEI - Nuclear Energy Institute CFR - Code of Federal Regulation
Cyber Security Action Plan
- Clarifications of program definitions & terms
- Review criteria for digital asset analysis and protection
- Balance-of-Plant (BoP)
- Safety-Related and Important-to-Safety SR/ItS
- Security
- Best practices for digital asset assessment
- Risk-inform control set applied to protect digital assets
- Future inspection program
- Inform oversight with licensee performance metrics
- Evaluate performance testing as a element in the oversight program 7/22/2021 8
RG 5.71 Initial Focus Area Initial Focus Area
- Changes are related to 10 CFR 73.54 section (b)(1)
- Aligns with EP requirements and program implementation.
- EP DAs classified as CDAs if the DA(s) is compromised and the EP function cant be performed
- Objective: properly classify the number of EP risk significant CDAs, and reallocate resources for more focus in the Safety & Security Critical Systems.
- Accepted by the NRC in August 2020 following staff review and public meetings
- Initial public meeting to discuss proposed changes in November 2019
- NEI first submittal in November 2019
- NEI submitted revised paper to address staff concerns in April 2020
- Tabletop workshop conducted to discuss proper implementation August 2020
- Licensees may implement the changes prior to the revision of NEI 10-04 and NEI 13-10 guidance
- Changes will be incorporated in future revisions of the NEI guidance (above) 7/22/2021 9
CDA: Critical Digital Asset DA:
Digital Asset EP:
Nuclear Energy Institute
BoP CDA Determination
- Industry has proposed changes to BoP CDA determination guidance
- BoP CDAs are those CDAs that were added to the scope of the cyber security rule during the resolution of FERC Order 706-B
- Industry proposed aligning the BoP CDA evaluation criteria with the latest NERC CIP standards which are based on impact to the Bulk Electric System (BES) by revising the guidance found in NEI 10-04 and NEI 13-10.
- Accepted by the NRC in August 2020 following staff review and public meetings
- Initial public meeting to discuss in January 2020
- NEI first submittal in April 2020
- NEI submitted revised paper to address staff concerns in July 2020
- Licensees may implement the changes prior to revision of NEI 10-04 and NEI 13-10 which will roll up all changes.
7/22/2021 10 CDA - Critical Digital Asset BoP - Balance of Plant NEI - Nuclear Energy Institute FERC - Federal Energy Regulatory Commission NERC - North American Electric Reliability Corp.
CIP - Critical Infrastructure Protection
SR/ItS CDA Determination
- The proposed guidance refined SR/ItS CDA determination criteria
- Defined terms safety-related, and important-to-safety functions in the context of cyber security based on how the NRC historically used these terms.
- Aligned the SR/ItS CDA identification criteria with the NRCs safety regulations.
- Accepted by NRC in August 2020 following staff review and public meeting.
- Initial discussion on the subject in August 2019
- Submitted for review in May 2020: public meeting in June 2020
- NEI submitted revision that addressed staff concerns in July 2020.
- Licensees may implement the changes prior to revision of NEI 10-04 and NEI 13-10 which will roll up all changes.
7/22/2021 11 CDA - Critical Digital Asset NEI - Nuclear Energy Institute SR - Safety Related ItS - Important to Safety
Security CDA Determination
- The effort focused on refining CDA determination and classification criteria for security digital assets.
- Defines security function in the context of cyber security;
- Addresses digital security tools and security support systems;
- Clarifies cyber security protection for digital assets used for access authorization.
- Accepted by NRC in June 2021 following staff review and public meeting.
- Initial draft received in December 2020; public meeting in January 2021.
- Response to NEI in April 2021: additional guidance needed on security support systems; more clarity in access authorization.
- NEI submitted revision that addressed staff concerns in June 2021.
7/22/2021 12 CDA - Critical Digital Asset NEI - Nuclear Energy Institute
Post Full Implementation Inspection Program
- Performance Informing Initiatives
- Performance Metrics:
- Staff and industry have conducted two public meetings to discuss the voluntary use of licensee performance metrics to inform future inspections.
- Performance Testing:
- Staff and industry have discussed the potential for informing future inspections with licensee performance testing results.
- A structure for review of performance metrics and testing results has been included in the draft inspection procedure.
- Staff conducted a public meetings in February and April 2021 to discuss the proposed inspection process and receive stakeholder feedback.
7/22/2021 13
Part 53 Rulemaking Cyber Security Approach 7/22/2021 14 10 CFR 73.110 Cyber Security
Cyber Security Rule Petition for Rulemaking
- PRM-73-18 submitted by NEI in 2014.
- Staff assessed the PRM in 2017 and further in 2019.
- Decision on the PRM deferred to evaluate the impact of cyber program assessment action plan activities.
- The Commission is expected to make a decision on the petition in July 2021.
7/22/2021 15
Regulatory Guide 5.71 Update 7/22/2021 16
- Published Regulatory Guide 5.71 (2010)
- 2016 Initiated update to Regulatory Guide 5.71
- Issued DG-5061 for public comment (2018)
- In 2021, staff updated DG-5061 to incorporate the program changes implemented since 2018.
- Plan to issue updated DG-5061 for 2nd public comment in Aug.
- Plan to issue RG 5.71 Revision 1 in Spring 2022
Cyber Security Engagement with RES
- Attack Surface for Cybersecurity Monitoring and Oversight
- Licensee Network Replica for Cybersecurity Training
- Wireless Communication Technologies (Safety &
Security)
- Cybersecurity Expert Seminars 7/22/2021 17
Wireless Technology and New Licensees
- Public Meeting on February 20, 2020
- Current wireless implementations
- Potential future wireless initiatives
- Future Wireless Technology Engagements
- Discuss specific examples for potential industry initiatives and how they might fit into the regulatory framework.
- Staff are working with the DOE laboratories and the Light Water Reactor Sustainability Program to evaluate potential industry wireless implementations 7/22/2021 18
Cyber Security Roadmap Update
- The initial roadmap paper was completed in 2012 (ML12135A050).
- The paper was updated in 2017 (ML16354A258).
- Staff is weighing best approach for future updates:
- Acknowledging other processes that will keep the Commission informed (e.g., Part 53 rulemaking process).
- Considering whether there are areas where additional Commission guidance may be necessary.
7/22/2021 19
Conclusion
- The cyber security inspection program has verified that licensees have adequately implemented the cyber security regulations.
- Staff conducted an assessment of the program in 2019 including significant stakeholder feedback, focus areas are being addressed.
- Staff and Industry are further implementing graded-approaches for the CDA selection and protection of EP, BoP, Security and Safety-Related/Important-to-Safety digital assets.
- Staff are performance-informing cyber security oversight.
- Evaluating cyber security implications for wireless connectivity and appropriate cyber security for new licensees.
- Staff are evaluating graded approaches for cyber security for new licensee/applicants.
7/22/2021 20
Questions 21 7/22/2021