ML21236A165
| ML21236A165 | |
| Person / Time | |
|---|---|
| Issue date: | 07/22/2021 |
| From: | Advisory Committee on Reactor Safeguards |
| To: | |
| Antonescu, C, ACRS | |
| References | |
| NRC-1598 | |
| Download: ML21236A165 (142) | |
Text
Official Transcript of Proceedings NUCLEAR REGULATORY COMMISSION
Title:
Advisory Committee on Reactor Safeguards Digital Instrumentation and Control Systems Docket Number: (n/a)
Location: teleconference Date: Thursday, July 22, 2021 Work Order No.: NRC-1598 Pages 1-119 NEAL R. GROSS AND CO., INC.
Court Reporters and Transcribers 1323 Rhode Island Avenue, N.W.
Washington, D.C. 20005 (202) 234-4433
1 1
2 3
4 DISCLAIMER 5
6 7 UNITED STATES NUCLEAR REGULATORY COMMISSIONS 8 ADVISORY COMMITTEE ON REACTOR SAFEGUARDS 9
10 11 The contents of this transcript of the 12 proceeding of the United States Nuclear Regulatory 13 Commission Advisory Committee on Reactor Safeguards, 14 as reported herein, is a record of the discussions 15 recorded at the meeting.
16 17 This transcript has not been reviewed, 18 corrected, and edited, and it may contain 19 inaccuracies.
20 21 22 23 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com
1 1 UNITED STATES OF AMERICA 2 NUCLEAR REGULATORY COMMISSION 3 + + + + +
4 ADVISORY COMMITTEE ON REACTOR SAFEGUARDS 5 (ACRS) 6 + + + + +
7 DIGITAL INSTRUMENTATION AND CONTROL SYSTEMS 8 SUBCOMMITTEE 9 + + + + +
10 THURSDAY, JULY 22, 2021 11 + + + + +
12 The Subcommittee met via Video 13 Teleconference, at 2:00 p.m. EDT, Charles H. Brown, 14 Chairman, presiding.
15 COMMITTEE MEMBERS:
16 CHARLES H. BROWN, Chair 17 RON BALLINGER, Member 18 DENNIS BLEY, Member 19 VICKI BIER, Member 20 GREG HALNON, Member 21 WALTER KIRCHNER, Member 22 JOSE MARCH-LEUBA, Member 23 DAVE PETTI, Member 24 JOY REMPE, Member 25 MATT SUNSERI, Member NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
2 1 ACRS CONSULTANT:
2 MYRON HECHT 3
4 DESIGNATED FEDERAL OFFICIAL:
7 ALSO PRESENT:
8 SCOTT MOORE, ACRS Executive Director 9 JIM BEARDSLEY, NSIR 10 TOM DASHIELL, ACRS 11 MARIO FERNANDEZ, NSIR 12 JURIS JAUNTIRANS, NSIR 13 ERIC LEE, NSIR 14 MICHELE SAMPSON, NSIR 15 DAN WARNER, NSIR 16 BRIAN YIP, NSIR 17 18 19 20 21 22 23 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
3 1 C-O-N-T-E-N-T-S 2 Opening Remarks . . . . . . . . . . . . . . . 4 3 Introductory Remarks . . . . . . . . . . . . . 7 4 Cyber Inspection Update and Current Operating 5 Experience . . . . . . . . . . . . . . . . . 8 6 Status of Full Implementation Inspections 7 Operating Experience (lessons learned) 8 Cyber Program 2019 Assessment 9 2019 Cyber Assessment Results & Follow Up 10 Actions 11 Post Full Implementation Inspection Program 12 Status of Other Program Elements . . . . . . . 69 13 Cyber Security Petition for Rulemaking 14 Status (PRM-73-18) 15 Regulatory Guide 5.71 16 Wireless Technology 17 Cyber Roadmap Update 18 Public Comments . . . . . . . . . . . . . . 111 19 Closing Remarks . . . . . . . . . . . . . . 119 20 21 22 23 24 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
4 1 P R O C E E D I N G S 2 2:01 p.m.
3 CHAIR BROWN: Okay. Good afternoon, 4 everyone. Sorry for the slight delay. I was counting 5 noses. The meeting will now come to order.
6 This is a meeting of the Digital I&C 7 Subcommittee. I am Charles Brown, Chairman of the 8 Subcommittee meeting. ACRS members in attendance are 9 Dennis Bley, Matt Sunseri, Jose March-Leuba, Joy 10 Rempe, Ron Ballinger, Dave Petti, Walter Kirchner, 11 Vicki Bier and our consultant Myron Hecht.
12 A couple may show up. I will let them 13 come as they are able to get in.
14 MEMBER HALNON: Charlie, this is Greg 15 Halnon. I'm in.
16 CHAIR BROWN: Oh, okay. Greg Halnon is 17 also now here. Christina Antonescu of the ACRS staff 18 is the designated federal official for this meeting.
19 The purpose of this meeting is for the staff to brief 20 the Subcommittee on the status of the cyber security 21 program.
22 The ACRS was established by statute and is 23 governed by the Federal Advisory Committee Act, FACA.
24 That means the Committee can only speak through its 25 published letter reports. We hold meetings to gather NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
5 1 information to support our deliberations.
2 Interested parties who wish to provide 3 comments can contact our office requesting time. That 4 said, we set aside 10 minutes for comments for members 5 of the public attending or listening to our meetings.
6 Written comments are also welcome.
7 The meeting agenda for today's meeting was 8 published in the NRC's public meeting notice website 9 as well as the ACRS meeting website. On the agenda 10 for this meeting and on the ACRS meeting website are 11 instructions as to how the public may participate.
12 No requests for making a statement to the 13 Subcommittee has been received from the public. Due 14 to COVID-19, we are conducting today's meeting 15 virtually. A transcript of the meeting is being kept 16 and will be made available on our website. Therefore, 17 we request that all participants in this meeting 18 should first identify themselves and speak with 19 sufficient clarity and volume so that they can be 20 readily heard.
21 All presenters must please pause from time 22 to time to allow members to ask questions. Please 23 also indicate the slide number you are on when moving 24 to the next slide.
25 We have a bridge line established for the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
6 1 public to listen to the meeting. The public line will 2 be kept open in a listen-only mode until the time for 3 public comment. To avoid audio interference, I 4 request all attendees to make sure that they are muted 5 while not speaking.
6 Based on our experience from previous 7 virtual meetings, I would like to remind the speakers 8 and presenters to speak slowly. We will take a short 9 break after each presentation or when it's relevant to 10 allow time for screen sharing as well as the 11 Chairman's discretion during longer presentations.
12 We do have a backup call in number should 13 Skype go down -- excuse me, should Teams go down, and 14 it has been provided to the ACRS members. If we need 15 to go to the backup number, the public line will also 16 be connected to the backup line.
17 Lastly, please do not use any virtual 18 meeting feature to conduct sidebar technical 19 discussions. Rather contact the DFO if you have any 20 technical questions so we can bring those to the 21 floor.
22 We'll now proceed with this meeting, and 23 I'll ask Jim Beardsley to share his screen with us 24 while Ms. Michele Sampson, the Deputy Director, 25 Division of Physical and Cyber security Policy, Office NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
7 1 of Nuclear Security and Incident Response for any 2 introductory remarks for today's meeting before we 3 begin today's presentation by Mr. Jim Beardsley, the 4 Branch Chief in the Cyber Security Branch. Michele?
5 MR. MOORE: Can the members on the public 6 line, you need to mute your phones, you need to mute 7 your phones. We're getting carryover.
8 MS. SAMPSON: Thank you and good 9 afternoon. I'm Michele Sampson, Deputy Director for 10 the Division of Physical and Cyber security Policy in 11 the Office of Nuclear Security and Incident Response.
12 I want to express my appreciation for the 13 opportunity to brief on the Agency's cyber security 14 program with the ACRS Digital I&C Subcommittee.
15 We last briefed the Subcommittee in March 16 of 2019. There have been several significant 17 accomplishments since that last meeting. We will 18 highlight a few, including the completion of the 19 Milestone 8 inspections, a full cyber security program 20 implementation at the operating power reactors and the 21 results of the staff's cyber security program 22 assessment.
23 We will also touch on some of the exciting 24 future work in cyber security, including the 25 development of a new technology-inclusive graded NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
8 1 approach to cyber security regulations as a part of 2 the advanced reactor rulemaking effort.
3 The cyber security staff routinely 4 interface with our federal partners and domestic and 5 international stakeholders to share operating 6 experience and best practices.
7 We are committed to maintaining an 8 efficient, robust cyber security program that can 9 adequately protect against the dynamic cyber threat 10 environment.
11 I would like to recognize the work of Jim 12 Beardsley, Chief of the Cyber Security Branch and his 13 staff, to prepare for today's briefing. And I look 14 forward to the opportunity to hear from him and 15 several members of his branch.
16 With that, I'd like to turn it over to Jim 17 to begin the presentation.
18 MR. BEARDSLEY: Thank you, Michelle. As 19 Michelle stated, I am Jim Beardsley, Chief of the 20 Cyber Security Branch in the Office of Nuclear 21 Security and Incident Response.
22 Today's brief is an update to a program 23 brief that staff provided to the Subcommittee in March 24 of 2019. Today I will be joined by the following team 25 from the Cyber Security Branch, Mario Fernandez, Dan NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
9 1 Warner, Eric Lee, Brian Yip and Juris Jauntirans.
2 Slide Number 2. Today's brief will 3 discuss the status of the NRC cyber security program, 4 including successful completion of our oversight 5 inspections for the industry's cyber security full 6 implementation.
7 The program found with reasonable 8 assurance that industry has implemented their programs 9 to meet the requirements of the Cyber Security Rule 10 and the Cyber Security Plans, which are license 11 conditions for each licensee.
12 The staff has learned a number of lessons 13 on the oversight program from the full implementation 14 inspections, the staff self-assessment of the 15 oversight program and an NRC Office of Inspector 16 General audit of the inspection program in 2019.
17 As a result, the staff has been working 18 with industry to further implement the graded approach 19 to cyber security to digital asset protection, to 20 further performance inform our cyber security 21 inspection program, to update cyber security guidance 22 in Regulatory Guide 5.71 and to develop a graded 23 approach to cyber security for future applicants and 24 licensees.
25 Slide Number 3.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
10 1 CHAIR BROWN: Jim? This is Charlie.
2 MR. BEARDSLEY: Yes.
3 CHAIR BROWN: When you talk about a graded 4 approach, I presume in your later slides you will be 5 giving us a detailed discussion of what that means?
6 MR. BEARDSLEY: I intend to, yes, yes.
7 CHAIR BROWN: Okay. Thank you. I just 8 wanted to make sure. Thank you.
9 MR. BEARDSLEY: Absolutely. In our March 10 2019 brief to the Subcommittee, the staff discussed 11 the power reactor cyber security program history.
12 Today, I will briefly review some of that 13 history and talk to in particular our future plans as 14 we move forward.
15 This slide shows the progression of the 16 program from implementation of the Cyber Security Rule 17 in 2009 through industry's cyber security program full 18 implementation, which occurred at the end of 2017.
19 As a result of lessons learned during the 20 initial implementation inspections between 2013 and 21 2015, the staff and industry have developed a series 22 of guidance documents for the cyber security program 23 implementation and NRC's inspection program.
24 Those improvements proved to be a vital 25 element in the successful completion of both the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
11 1 licensee implementation and the staff's inspection of 2 their implementation following the 2017 full 3 implementation date.
4 In 2010, the NRC issued Regulatory Guide 5 5.71, Cyber Security Programs for Nuclear Facilities.
6 This document provides the licensees a methodology or 7 framework that can be used to meet the requirements of 8 the Cyber Security Rule.
9 As a review, this slide shows the primary 10 principles of a cyber security program as listed in 11 the Regulatory Guide.
12 The first step would be for a licensee to 13 establish a multidisciplinary cyber security 14 assessment team. That team would then be instrumental 15 in implementing the remainder of the program.
16 The next step would be for licensees to 17 review all of their digital assets and determine which 18 of those assets need to be protected in accordance 19 with the Cyber Security Rule and their Cyber Security 20 Plan.
21 The next step is for the licensees to 22 implement a defensive architecture. And my following 23 slide will discuss the defensive architecture in more 24 detail.
25 Finally, the licensees would apply cyber NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
12 1 security controls in accordance with their Cyber 2 Security Plan to each of the critical digital assets 3 that they determined needed to be protected in an 4 earlier step.
5 The final steps of full implementation are 6 for licensees to implement overwriting programs that 7 support the protection, operation and continuing 8 maintenance of their cyber security programs and a 9 number of those elements are listed at the bottom of 10 the slide.
11 MEMBER HALNON: Hey, Jim, this is Greg 12 Halnon. Do you have a feel, since Reg Guides are 13 voluntary, do you have a feel for how many licensees 14 actually implemented the program for this Reg Guide 15 5.71?
16 MR. BEARDSLEY: That's a great question.
17 When the staff published Regulatory Guide 5.71, 18 industry also developed a guidance document, NEI 08-19 09, which was very, very similar to Reg Guide 5.71.
20 Most of the operating fleet, in fact all 21 but Vogtle 3 and 4 committed to the NEI document, 22 which has a Cyber Security Plan template that is 23 virtually identical to that in Regulatory Guide 5.71 24 So only one of our licensees committed to 25 Reg Guide 5.71. But the guidance in the document is NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
13 1 enduring and the staff uses it as part of our 2 assessment and licensees do use it as a reference.
3 MEMBER HALNON: So it wasn't endorsed, but 4 it was found acceptable through your process?
5 MR. BEARDSLEY: The NEI guidance document 6 was found acceptable for use by the staff, correct.
7 MEMBER HALNON: Okay.
8 MR. BEARDSLEY: It was found to be an 9 acceptable method to implement a cyber security 10 program.
11 MEMBER HALNON: All right.
12 CHAIR BROWN: How did that happen?
13 MR. BEARDSLEY: How did the staff make 14 that determination?
15 CHAIR BROWN: Yes. I don't remember -- I 16 wrote the letter on 5.71 back in 2009 and '10. And I 17 don't remember this NEI document. What's the date of 18 that?
19 MR. BEARDSLEY: I don't know exactly.
20 We'll have to get back to you. But it came out right 21 about the same time as the Regulatory Guide. It may 22 have been a little earlier. It may have been a little 23 later. But we'll get you an answer to that.
24 CHAIR BROWN: The purpose of the question 25 is you say it's virtually identical. The rule is NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
14 1 fairly specific, you know, the 73 point whatever 54 or 2 whatever the right number is. I probably got it 3 wrong. And I just wondered how this NEI document 4 tracked. I don't remember us ever seeing it. That's 5 why I asked the question.
6 MR. BEARDSLEY: The format in the document 7 is very similar to Reg Guide 5.71. It's not exact.
8 But the template for a Cyber Security Plan follows the 9 same set of controls, the approximately 160 controls, 10 that the staff had included in Regulatory Guide 5.71.
11 The industry then used that template to 12 develop and submit to the staff for approval a Cyber 13 Security Plan. And each individual licensee had their 14 Cyber Security Plan reviewed and approved back in 15 2010.
16 CHAIR BROWN: There were some sections, if 17 you go back into the appendices for 5.71, I think it 18 was Appendix C where it talked about unidirectional 19 data diode-type connections from the Level 4 to 3 and 20 3 to anything above that, and did it mirror those 21 types of things as well?
22 MR. BEARDSLEY: It did. And I'm going to 23 talk about that on the next slide.
24 CHAIR BROWN: Okay. Thank you.
25 MR. BEARDSLEY: Sure. Any other questions NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
15 1 on the Reg Guide? Okay. Moving on to Slide Number 5.
2 MR. LEE: Hey, Jim?
3 MR. BEARDSLEY: Yes.
4 MR. LEE: The NEI 08-09 was dated April 5 2010.
6 MR. BEARDSLEY: Okay. And when was the 7 Reg Guide published?
8 MR. LEE: I believe that was -- similar 9 time, 2010 or so, I believe.
10 MR. BEARDSLEY: Right. Well, we'll get an 11 exact answer for the members following the meeting.
12 MEMBER BALLINGER: It was January 2010.
13 CHAIR BROWN: Yes, January, thank you.
14 MR. BEARDSLEY: Okay.
15 CHAIR BROWN: You got a hit on that.
16 MR. BEARDSLEY: So the Regulatory Guide 17 was published about three months before the staff 18 accepted NEI's document for use.
19 So talking about the -- I'm sorry.
20 MR. HECHT: This is Myron Hecht. You 21 stated -- just a clarification question. You said 22 that all but Vogtle had committed to NEI 08-09. Did 23 Vogtle commit to 5.71? Is that the difference or --
24 MR. BEARDSLEY: They did.
25 MR. HECHT: -- did they not commit to NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
16 1 anything? I see.
2 MR. BEARDSLEY: They committed to Reg 3 Guide 5.71, and they elected to use the template in 4 Reg Guide 5.71 for the Cyber Security Plan. So that 5 was how they -- that's how the commitment was made.
6 And the reason was at that time, NEI -- at 7 the time that Vogtle 3 and 4 submitted their Cyber 8 Security Plan as part of their combined license, the 9 NEI guidance document hadn't been completed yet. So 10 the only template that existed was the one in Reg 11 Guide 5.71.
12 MR. HECHT: Thanks.
13 MR. BEARDSLEY: So to go to the question 14 that Member Brown asked, all of the licensees have 15 implemented a topology that's similar to that shown on 16 this slide.
17 And on the slide Level 0 is the Internet 18 all the way on the right. And as you move from right 19 to left, the systems are more sensitive and are 20 receiving more protection.
21 So Level 1 would be a corporate network 22 for a licensee that's part of a larger corporation.
23 Level 2 would be a site-wide network and that's the 24 administrative network for training and administration 25 of the site.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
17 1 And then the licensee is committed to a 2 one-way deterministic device in their Cyber Security 3 Plan. All of our licensees elected to use a data 4 diode to meet that requirement. And that is a digital 5 device that prevents any digital information from 6 being transferred from Level 2 to Level 3. So the 7 laws of physics will not allow data to be transferred 8 over the network from Level 2 to Level 3.
9 CHAIR BROWN: So Level 3 would be the area 10 where you had, like, the reactor control systems, trip 11 systems, ESFAS, et cetera, safety systems?
12 MR. BEARDSLEY: Right.
13 CHAIR BROWN: -- up to Level 4.
14 MR. BEARDSLEY: Right. Level 3 and Level 15 4 are not consistently implemented across the various 16 licensees. So each licensee made a determination on 17 where they wanted to put their critical digital assets 18 in Level 3 and/or Level 4.
19 So I can't say that they all put a certain 20 system in Level 3 and/or Level 4. But beyond the data 21 diode boundary in Level 3 and Level 4, they have all 22 of their safety and security and many of their 23 emergency preparedness digital assets.
24 CHAIR BROWN: So I was just trying to 25 figure out when I looked at the slides what NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
18 1 constituted in NRC's mind the Level 4 and Level 3.
2 Cyber security is one set of words. I wasn't sure 3 what that meant inside of this barrier of the data 4 diode. And I also saw a firewall there.
5 MR. BEARDSLEY: There is a firewall. In 6 fact, some licensees implemented multiple firewalls to 7 partition different parts of Level 3 and Level 4. And 8 some of them have used additional data diodes to 9 partition various different systems.
10 So from a security point of view, that's 11 the physical security system, the computers that they 12 use to manage the physical security program and then 13 from the safety systems, that's the balance of plant 14 systems. That's the safety systems. That's any other 15 system that the licensee has determined was a critical 16 digital asset and needed to be protected.
17 CHAIR BROWN: Okay. So I was thinking 18 that when you say security that kind of -- you're 19 talking about all the -- I call them admins. But 20 they're not really admin relative to being admin-21 admin. They're not part of the business systems.
22 In other words, that's where you have all 23 the spyware, whatever you want to call it, to make 24 sure people don't intrude into the site, alarms, all 25 the systems that generate that would be back most in NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
19 1 the Level 4 area based on your all's -- whereas Level 2 3 -- based on your all's categorization would roughly 3 be plant systems, roughly.
4 MR. BEARDSLEY: I'm not going to disagree 5 with what you're saying, but I can't commit that every 6 licensee elected to put on those systems in one or the 7 other.
8 CHAIR BROWN: I totally understand, 9 totally. The reason I'm asking the question is 10 because in a couple of the applications we went 11 through, new design plants for the last two or three, 12 we actually ended up with -- you talk about reactor 13 trip in the ESFAS systems which feed, you know, plant 14 control stuff, like reactivity control pumps, valves, 15 whatever you have necessary for your emergency core 16 cooling, et cetera, we largely ended up with 17 unidirectional data diode-type transmissions from 18 those systems to the other ones.
19 In other words, they were within the Level 20 3 area, but they were also protected from one safety 21 system, what I would call to maybe a safety -- I don't 22 know what the difference is for the actual components 23 that do the job themselves because you never know 24 what's going to be on some of these pumps, valves 25 whether they have computer controlled controllers or NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
20 1 not, et cetera. So we did not want any interaction 2 backwards into those other systems.
3 So I presume this allows -- that's not a 4 firewall. That was a hard data diode. Other systems 5 could handle a firewall type approach. So I presume 6 that's flexible definition in that 4 and 3 and then 7 within the 3 routine?
8 MR. BEARDSLEY: It is. And it's really --
9 the licensee has to determine what systems should be 10 protected and the appropriate level of protection and 11 then they'll partition their networks as such.
12 CHAIR BROWN: Okay. And for the operating 13 plants, you obviously have to figure that out for the 14 -- you know, we've obviously emphasized that we needed 15 to do that as a design decision in subsequent plant 16 designs, you know, the applications we've dealt with 17 over the past few years. All right. Thank you.
18 You've answered my question. Thank you very much.
19 MR. BEARDSLEY: Okay. Anybody else have 20 any questions?
21 MEMBER MARCH-LEUBA: Yes.
22 MR. BEARDSLEY: Go ahead.
23 MEMBER MARCH-LEUBA: This is Jose March-24 Leuba. Something you just said I wanted to hop on it 25 in a previous slide, but I was having silent problems.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
21 1 You said the licensee is responsible for 2 defining the critical assets that they have to 3 protect, which is the Step Number 2 on this slide.
4 MR. BEARDSLEY: Correct.
5 MEMBER MARCH-LEUBA: Do you have an 6 ongoing evaluation of how this changes with time? And 7 what I'm coming to is first, we have had to protect 8 against hackers, which are in the top 0.0001 percent 9 of the smartest people in the world. And some of them 10 have state support and even money. So you have to be 11 extremely careful.
12 And in the last five years, we have seen 13 an explosion of Internet-connected devices, what we 14 call IoT devices, Internet of Things, something like 15 smart lights, smart thermostats, you know, smart TVs, 16 microwaves.
17 MR. BEARDSLEY: Right.
18 MEMBER MARCH-LEUBA: So is there an 19 ongoing re-evaluation of how I can attack my system?
20 And I'm not talking monthly, yearly or bi-yearly but 21 an ongoing one? Something changing my plant, do I 22 need to do something different?
23 MR. BEARDSLEY: So that's a great 24 question. When we inspected the licensees back 25 between 2013 and 2015, we reviewed their methodology NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
22 1 for determining what assets had to be protected, what 2 were critical digit assets, and also inspected their 3 change control processes.
4 During the subsequent inspection program 5 that started in 2017, we again reviewed that list and 6 the changes that they had made. So any changes to the 7 program, any changes to the list of critical digital 8 assets, is something the staff will look at it in the 9 inspection space to make sure the licensee has 10 appropriately characterized the assets and made sure 11 that they are appropriately protected.
12 MEMBER MARCH-LEUBA: You know, I'm more 13 concerned with their changing the hardware in the 14 plant. Somebody plugs in an Alexa in his office.
15 Does that get evaluated?
16 If you change your protection system and 17 you go from computer type A to computer type B for the 18 protection system, of course, they're evaluated.
19 What I'm saying is the famous example of 20 the aquarium in the casino. Is there an aquarium 21 somewhere in the plant that has changed the 22 configuration?
23 MR. BEARDSLEY: Okay. So for the most 24 part, you know, the licensee has their own corporate 25 configuration management program and controls on the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
23 1 Level 1 and Level 2 network. So that's the 2 administrative network that will be sitting in 3 someone's office.
4 Level 3 and Level 4 are those assets that 5 have to be protected in accordance with the Cyber 6 Security Rule. And there are very specific 7 requirements on what assets have to be protected and 8 the controls associated with those assets.
9 So the licensees not only have systems in 10 place, they have to do vulnerability assessments, and 11 they have to do assessments of their digital assets to 12 make sure they're protected, you know, on an ongoing 13 basis.
14 So they do have, you know, a regular 15 program of periodic review, as is stated on the slide, 16 to look at their systems.
17 So if someone tried to plug something into 18 an asset, the licensee is responsible to identify that 19 either through log reviews or through an automated 20 system that would monitor whether something had been 21 plugged in.
22 Also, the licensees are expected to 23 mitigate any potential things plugged into their 24 critical digit assets through configuration management 25 and blocking of ports or a number of other defensive NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
24 1 methodologies.
2 MEMBER BALLINGER: This is Ron Ballinger.
3 Let me know if I'm getting too security conscious 4 here. But other organizations which I will not name 5 have teams whose business is to compromise a network.
6 Do you folks have such an organization that goes 7 around and tries to compromise a network to test it?
8 MR. BEARDSLEY: At the current time, the 9 NRC Inspection Program does not include that type of 10 activity. And there's a couple reasons for that.
11 One, we would never want to try and mess 12 with an operating nuclear power plant. That would be 13 very risky, and it's been determined to be not an 14 appropriate activity.
15 The other aspect of it is with the data 16 diode, it would be very difficult for an adversary to 17 reach the protected systems. They would have to 18 bypass the data diode, either through the portal media 19 program, which has a very specific set of requirements 20 and the staff has inspected or through supply chain or 21 some other threat vector.
22 So it is not likely that a penetration 23 type test, which is what I think you're talking about, 24 would add any value to the program at this time.
25 MEMBER MARCH-LEUBA: This is Jose again.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
25 1 I am concerned that people will give too much credit 2 to the little diode, which is a great thing to have.
3 But these guys can figure out ways to get past it.
4 You can have a wireless network at Level 4. It's 5 called the cell phone tower. You already have a 6 wireless network inside a plant. You just need a 7 little chip to assist.
8 So if you have -- you need to have an 9 inside threat, somebody that goes physically as an 10 extra thing with a button that you can bypass. So 11 let's give the credit where the credit is due but 12 don't give it 100 percent credit. It's only 99 13 percent effective.
14 MR. BEARDSLEY: And we don't give 100 15 percent credit. The staff has focused the last four 16 years of inspection on potential methods for bypassing 17 the data diode. Now the licensees do have 18 limitations, and they have committed to not having 19 wireless systems. They scan for wireless networks 20 that are unexpected. So from a wireless point of 21 view, the licensees understand very clearly what their 22 requirements and limitations are.
23 So we have focused on those areas that can 24 be used to bypass the data diode and that it will 25 continue to be one of the focuses of the industry and NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
26 1 the staff's oversight inspections.
2 CHAIR CHARLIE: Thank you, Jim.
3 MEMBER KIRCHNER: This is Walt Kirchner.
4 Just following up on Jose's points, and you live this 5 so it's not my particular line of business.
6 But with the evolving threats, without 7 getting into any kind of actual threat scenario or 8 mechanism, is it safe to say that line of defense with 9 the data diode, assuming that it's more than a data 10 diode. It's all portable media, et cetera, et cetera.
11 Are you finding that more and more things have to be 12 pulled inside the Level 4 or 3 envelope?
13 Do you see where I'm going with this? In 14 other words, you actually have to move your fence out 15 further in the plant in terms of balance of plant and 16 other support systems to protect against the evolving 17 threat and the technologies that could represent a 18 threat. Is that a safe assumption?
19 Are you finding as your licensees get into 20 this and do a continual review, you're pushing more 21 and more stuff? Either you can say it one way, you're 22 putting more and more on Level 4 and 3 or you're 23 moving that boundary out or both.
24 MR. BEARDSLEY: Actually, the staff and 25 industry have found that the industry may have over NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
27 1 included the number of digital assets and the level of 2 digital assets that need to be protected. So we have 3 and, you know, Member Brown asked me about the graded 4 approach earlier.
5 One of the things we've looked at in the 6 graded approach is to make sure that the right assets 7 are being protected at the right level. And in some 8 cases, we found that the licensee may have 9 overprotected some of their assets. And in doing so 10 by reducing the protection on some, it helps them 11 focus the protections they need on the most critical 12 asset.
13 So we have not seen extensions in the 14 barrier. In fact, we believe the barrier is sound and 15 is pretty well implemented right now. But let me --
16 MEMBER KIRCHNER: Okay. Thank you.
17 MR. BEARDSLEY: -- to your question, let 18 me just add one quick thing. So the staff has -- in 19 answer, we have a branch that does intelligence and 20 threat analysis. Through that branch and through our 21 interagency counterparts, the staff does monitor any 22 evolving threats and continuously is looking at the 23 potential for a threat that could bypass the systems 24 and the controls the licensees have in place. So 25 that's an ongoing effort that we have. I'm sorry. I NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
28 1 cut somebody off.
2 MEMBER KIRCHNER: No, thank you. I was 3 just trying to say thank you.
4 MR. BEARDSLEY: Okay.
5 CHAIR BROWN: Jim, the data diodes that 6 you all have observed or seen them install or have in 7 place, I presume those are literally hardware-based 8 data diodes. In other words, their direction, that 9 single directionality is not configured with software 10 processes?
11 MR. BEARDSLEY: It is a physical data 12 diode. It is a laser-based tool. And the laser only 13 fires from the Level 3 side down to the Level 2 side 14 or from the higher side to the lower side.
15 So you cannot physically -- the laws of 16 physics won't allow data to travel back on the 17 network.
18 CHAIR BROWN: Okay. I thought that was 19 the case, but I always worried about advertising from 20 some people that make these things so.
21 MR. BEARDSLEY: It's a pretty small 22 market. I'll tell you that.
23 CHAIR BROWN: Okay. You haven't gotten to 24 your graded stuff yet. So I'll wait. I'll save my 25 questions for that until you get there.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
29 1 MR. BEARDSLEY: Okay.
2 CHAIR BROWN: I have a question on that.
3 I just don't want to interrupt your thought process 4 here.
5 MR. BEARDSLEY: All right. All right.
6 We'll get there.
7 MR. HECHT: This is Myron Hecht. Can I 8 just go back to the last thing that Jim has said. You 9 said that there's a diode which allows a transmission 10 only from Level 3 to Level 2. Shouldn't it be the 11 other way?
12 MR. BEARDSLEY: No. You only want data to 13 travel from the secure level to the less secure level.
14 In other words, the licensees are doing diagnostics on 15 the systems in Level 3 and Level 4. They will pass 16 that down to the lower level so they can aggregate and 17 understand whether or not there are any issues.
18 MR. HECHT: Yes, yes, of course. Thank 19 you.
20 MR. BEARDSLEY: Okay. So this slide 21 focuses on our inspection program. The inspections 22 started out in the summer of 2017. And the staff 23 conducted a full implementation inspection at every 24 operating nuclear site in the country.
25 We completed all 58 of those inspections NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
30 1 in June of 2021. The inspections were a two week 2 inspection program conducted by two inspectors from 3 the appropriate region and two subject matter expect 4 contractors who supported them during the inspections.
5 We also have a team at headquarters in the 6 Cyber Security Branch that provides the inspection 7 teams technical backup on any questions that arise 8 during the inspections.
9 Although the inspections did identify a 10 number of very low safety significance findings, the 11 industry demonstrated with reasonable assurance an 12 understanding of the Cyber Security Plan requirements 13 and effective program implementation.
14 The staff observed at a high level some of 15 the following observations. The quality of critical 16 digital asset and system assessments was challenged at 17 some of the licensee sites. And the staff provided 18 feedback to the industry on that.
19 It didn't impact their ability to protect 20 the assets, but it may impact their ability to do 21 continuing analysis or change control in the future.
22 In addition, the licensees were challenged 23 conducting vulnerability assessments on their 24 programs. And the challenge there is they have a 25 large number of digital assets, and there's a NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
31 1 significantly large number of vulnerabilities that are 2 identified by industry and the government on an 3 ongoing basis. And the licensees did have some 4 challenges in collecting and evaluating those 5 vulnerabilities. The staff did cite some violations 6 in this area. And industry has made strides to 7 improve that process.
8 Another area that the staff found was in 9 the licensee's implement of their cyber security 10 defense in-depth, there were times when the licensees 11 had not fully implemented their defense in-depth 12 programs. The staff again cited that and the industry 13 has continued to improve those over time. Any 14 questions about the inspection program?
15 CHAIR BROWN: Jim, I have to backtrack one 16 more time on the previous slide. If you could go back 17 to that. Talking about physical security, did you --
18 you talked about being, you know, the outfit monitors, 19 making sure the overall site is safe.
20 MR. BEARDSLEY: Correct.
21 CHAIR BROWN: All the guard information, 22 all the detecting type information for intruders, all 23 that kind of stuff, that generally has an evolving 24 nature if stuff gets upgraded. I mean, people always 25 want to make it better.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
32 1 I note you were talking about in one of 2 your later slides, and you mentioned wireless. A lot 3 of the stuff in this physical security world is 4 wireless associated. And I guess have you all looked 5 at that relative to systems?
6 Maybe the right way to say it is those 7 responsible for physical security are not allowing any 8 wireless type connections back down in that Level 4 9 area or the security world?
10 MR. BEARDSLEY: That is correct.
11 CHAIR BROWN: Okay.
12 MR. BEARDSLEY: The licensees are not at 13 the time by their Cyber Security Plan allowed to 14 connect wireless systems to their critical digital 15 assets. They could in the future do that. But they 16 would have to do significant analysis and the staff 17 would be inspecting that to make sure that it meets 18 the appropriate requirements.
19 CHAIR BROWN: Yes. One of my concerns was 20 if you -- you don't have it now, but somebody brings 21 in a piece of new equipment. It's a real super 22 whamadyne. Everybody loves it because it's going to 23 simplify all the work. And it's got something buried 24 in it that's wireless and now all of a sudden you've 25 got a path.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
33 1 I don't know how you monitor that. You 2 know, I'm not a radio engineer anymore. But I guess 3 I'm always worried about new stuff coming in because 4 it seems like the world, as it operates today, as Jose 5 noted, the Internet of Things is now also in the air 6 all the time, its connectivity, so.
7 MR. BEARDSLEY: Right. Through the 8 licensee's change control program, they have to do a 9 very robust evaluation to include their cyber security 10 requirements. And we inspect those changes, both 11 through cyber security inspections and through the 12 NRC's routine change control inspections.
13 So we are looking at that. And industry 14 is aware that the implementation of wireless is 15 something that will be a challenge for them. And we 16 do have a discussion on that topic later in the 17 presentation.
18 CHAIR BROWN: Okay. Thank you.
19 MEMBER HALNON: Hey, Jim. This is Greg 20 Halnon. On the inspection program, you mentioned 21 challenges in several areas, and those are pretty much 22 downstream of the initial identification of CDAs, 23 which is real documentation intensive.
24 Did you get a sense that the 25 overidentification of CDAs was taxing the resources NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
34 1 such that those challenges manifested downstream of 2 the process or were those challenges just pretty much 3 specific to the licensee issues?
4 MR. BEARDSLEY: I would say the answer is 5 both. You know, any time you're trying to manage 6 thousands of digital assets, that's a pretty 7 significant effort.
8 So if through evaluation the staff and 9 industry find that we can reduce that overall effort 10 and allow them to focus on the assets that are found 11 to be of higher importance, and I'll just characterize 12 it as that, arguably, that would help them focus on 13 their program.
14 So I can't say, you know, explicitly one 15 way or the other because each licensee is different 16 and each case was different. But that was one of the 17 areas that was identified during our self-assessment 18 that I'll talk about in a moment and one of the things 19 that we've worked on over the past few years.
20 MEMBER HALNON: Okay. It seems like a 21 graded approach then would try to reduce the front end 22 piece as well so that resources could be not so tied 23 up on the initial discussion.
24 I know that piece is past this. But it's 25 still, you know, what you mentioned overidentification NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
35 1 of CDAs is still there. And there's still a lot of 2 ornaments that go around that to manage that.
3 So some resources, I know, is a key issue 4 throughout the industry. I would be interested down 5 the road of seeing how the graded approach might help 6 alleviate some of the resource issues that we have.
7 MR. BEARDSLEY: Sure. As I stated 8 earlier, we have learned a significant number of 9 lessons since 2012. And one of the things that we're 10 looking at in our future cyber security rulemaking is 11 making sure we've right-sized that assessment process 12 and the identification of digital assets. And we'll 13 talk some more about that in the presentation as well.
14 MEMBER HALNON: Very well. Thanks.
15 CHAIR BROWN: Jim, when you get to your 16 graded approach, that's just another word for risk-17 informed and not personal thought processes. Are you 18 going to be able to provide some information on 19 criteria that will allow you to even think about a 20 graded approach as to not -- is there some 21 partitioning that some things will never get there but 22 others are because of some circumstances or some 23 characteristics?
24 MR. BEARDSLEY: Well, you're --
25 CHAIR BROWN: If you do that later, that's NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
36 1 fine. I just wanted -- that's one of the questions I 2 had for later.
3 MR. BEARDSLEY: That's a great segue. So 4 what I'm going to talk about now is the self-5 assessment that the staff conducted of our cyber 6 security oversight program and every element in it, 7 from the rule through the implementation, through 8 licensee implementation and our inspection program.
9 We conducted that assessment in 2019.
10 Staff provided management with a report on the results 11 of that assessment. The assessment included 12 significant engagement with stakeholders, multiple 13 public meetings. And on the next slide, I'm going to 14 talk about our action plan that we put together to 15 address a number of the areas that were identified 16 during the assessment.
17 Some of those areas are systems where we 18 have looked at a graded approach and the staff will 19 talk about that and talk about those particular areas 20 and how we've approached it. So hold the question for 21 a second. We're going to give you some specifics here 22 in just minute.
23 CHAIR BROWN: Okay. I don't want you to 24 take it -- I'm pretty overbearing it seems like 25 sometimes as you've probably figured out over the last NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
37 1 few years. I'm very concerned about this particular 2 area. So that's why -- I'm not against that.
3 My concern is we overdo the classification 4 of what stuff needs to be, you know, really wrapped up 5 tight with millions of sheets of paper and which ones 6 don't. It's just a matter -- I like to see certain 7 criteria type stuff. You throw it off to the side, 8 stuff that there's no way you can put virus software 9 in, you know, plant control systems, trips, et cetera, 10 et cetera.
11 There's other things that don't meet that 12 criteria. They're not in that category. And it just 13 seems to me to make it easy, it's nice to put things 14 in little -- different rice bowls if you want to call 15 it that, put the stuff that you don't care about and 16 so that you don't beat the licensees to death on this 17 stuff.
18 MR. BEARDSLEY: Right.
19 CHAIR BROWN: But it can be overbearing.
20 So don't think I'm just, you know, give me a data 21 diode on every piece of equipment that's in there.
22 That's not the way I think. I just really would like 23 to see how we get to the point and make sure our 24 really important systems don't even get tested. So 25 that's --
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
38 1 (Simultaneous speaking.)
2 CHAIR BROWN: Okay? Thanks.
3 MR. BEARDSLEY: Right. Absolutely. So 4 after we completed our interim inspections in 2015, 5 the staff and industry identified the fact that there 6 were some challenges in the area that you're talking 7 to.
8 NEI developed a guidance document, 9 Document NEI 13-10, that was used by industry and the 10 staff to develop the graded approach to digital asset 11 protection.
12 So there are classes of digital assets 13 that have full protection, 160 odd controls. And 14 there are other classes of digital assets that have a 15 significantly lower number, somewhere around 15, you 16 know, a dozen to 15 controls.
17 So we have tried to do that and tried to 18 look at the total group of digital assets. And what 19 the staff is going to talk about in a minute is how 20 we're further evaluating that and further looking at 21 how we can grade that.
22 So the staff conducted the assessment in 23 2019, provided an action plan to management in the 24 fall of 2019. And the action plan identified a number 25 of areas that the staff felt were worthy to be NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
39 1 evaluated as part of our program.
2 Those areas are listed on this slide. And 3 we broke -- and we further broke them down into 4 prioritization of things that we would look at.
5 Our initial focus areas were primarily 6 looking at digital asset identification, analysis and 7 protection in the areas of emergency preparedness, 8 balance of plant, safety-related and important safety 9 systems and -- did the slides just drop?
10 CHAIR BROWN: Yes. You're okay. I just 11 compared it to mine on my other computer so.
12 MR. BEARDSLEY: All right. They just 13 dropped from my computer but hopefully they're still 14 there.
15 CHAIR BROWN: It just stayed.
16 MR. BEARDSLEY: So the staff is going to 17 speak to each one of those four areas in detail on the 18 following slides. In addition, the staff and industry 19 identified -- or excuse me. The staff and the Office 20 of Inspector General during their audit of our 21 inspection program identified opportunities to 22 performance inform our inspection program. And the 23 staff is actively developing a new inspection 24 procedure that we believe is focused on licensee 25 performance and performance informing our oversight.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
40 1 There we go. The next area the staff 2 focused on was the best practices for digital asset 3 assessment. And those best practices have been 4 incorporated into the current revision of Regulatory 5 Guide 5.71 that is in the review process. Finally --
6 MEMBER HALNON: Jim.
7 MR. BEARDSLEY: -- I'm sorry, yes.
8 MEMBER HALNON: Jim, on 5.71 is the NEI 9 document keeping pace with it since 99.9 percent of 10 the plants are committed to the NEI document?
11 MR. BEARDSLEY: At this time, NEI has not 12 decided whether or not they're going to update NEI 08-13 09, which is the document that they based their cyber 14 security plans on. So that will be a question that 15 industry evaluates once the Regulatory Guide is 16 complete.
17 MEMBER HALNON: Okay.
18 CHAIR BROWN: Well, they are updated. I 19 guess, it looks like you have all interacted with them 20 on what, 13-10 and --
21 MR. BEARDSLEY: 10-04.
22 CHAIR BROWN: -- conditional 4.
23 MR. BEARDSLEY: Right.
24 CHAIR BROWN: But yet, I had never seen 25 08-09 even referenced. So I'm not familiar with that NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
41 1 one at all. But that's the primary one. I guess we 2 need to find that one.
3 MR. BEARDSLEY: Okay. We can make that 4 available to you as well.
5 CHAIR BROWN: That would be much 6 appreciated.
7 MR. BEARDSLEY: Okay. The other two 8 areas, clarification of program definitions and terms 9 was identified by both industry and the staff because 10 there are a number of guidance documents. There's an 11 NEI guidance document and there's a staff guidance 12 document. And what we found was in some cases our 13 definitions and terms weren't the same.
14 So we're working with industry to try and 15 clarify that and make sure we're all speaking to the 16 same definitions. And that's an ongoing effort as we 17 update various different documents.
18 And finally the area of risk-informing 19 control sets for digital assets, that's really looking 20 at the future and how do we potentially come up with 21 other methodologies that are different from that laid 22 out in Reg Guide 5.71 or potentially the NEI 08-09 for 23 implementation of cyber security programs in the 24 future? Again, that's an ongoing effort that includes 25 the Part 53 rulemaking and other areas that industry NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
42 1 is evaluating.
2 Now I'm going to turn it over to Mario 3 Fernandez, who is going to discuss our changes to the 4 emergency preparedness digital assets. If I can 5 change the slide, oh, went too far. There we go.
6 MR. FERNANDEZ: Thank you, Jim. This is 7 Mario Fernandez, Cyber Security Specialist in the 8 Cyber Security Branch. As Jim Beardsley stated in the 9 most recent assessment of the program, several areas 10 were identified as areas for further risk informing to 11 improve the efficiency and effectiveness of the power 12 reactor cyber security program.
13 One of those areas identified is the 14 emergency preparedness critical digital asset 15 determination or what we call for a short term, EP 16 CDAs.
17 Recognizing that an evolving program can 18 benefit from lessons learned, the cyber security staff 19 evaluated the proposed changes by the industry through 20 EP CDA determination and the NEI guidance, which is 21 related to Section Bravo 1 of 10 CFR 73.54, which 22 requires licensees to analyze digital computer 23 communication assistance and networks and identify 24 those assets that must be protected against cyber-25 attacks.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
43 1 The review and evaluation process required 2 two public meetings. One public meeting that took 3 place in November of 2019 and another meeting that 4 took place in August of 2020.
5 Many iterations of the proposed changes, 6 various reviews and evaluations by the NRC staff, 7 reaching alignment into the NRC industry to ensure the 8 proposed changes meet the requirements of 10 CFR 73.54 9 and finally a tabletop workshop conducted in August of 10 2020 to ensure implementation of the guidance is 11 consistent with NRC approved implementation, 12 strategies or approaches.
13 The new and improved guidance for EP DA 14 screening, or digital asset screening, accomplishes 15 the following.
16 It adopts a more risk-informed approach, 17 that is an asset is identified for protection 18 commensurate with the risk significance of that asset.
19 And this approach is aligned with NRC emergency 20 preparedness requirements and emergency plans, 21 licensee emergency plans.
22 The enhanced EP DA screening methodology 23 is more granular and considers methods and criteria 24 that gives licensees the flexibility to take credit 25 for methods that are required in the EP regulations NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
44 1 and the licensee's emergency plans.
2 This screening methodology provides 3 efficiency and effectiveness to the power reactor 4 cyber security program because it reduces the number 5 of digital assets incorrectly identified for 6 protection thus allowing licensees to reallocate its 7 resources to the safety and security areas.
8 The Cyber Security Branch staff evaluated 9 these changes and determined that this proposal is 10 consistent with NRC approved implementation strategies 11 or approaches described in NRC Regulatory Guide 5.71, 12 Cyber Security Program for Nuclear Facilities.
13 These changes will be incorporated in 14 future revisions of NEI 10-04, Revision 2, titled, 15 Identifying Systems and Assets Subject to the Cyber 16 Security Rule and NEI 13-10, Revision 6, titled, Cyber 17 Security Control Assessments.
18 CHAIR BROWN: Can I ask a question on 19 this, on the 13-10 and 10-04?
20 MR. FERNANDEZ: Yes, Member Brown, please.
21 CHAIR BROWN: You all had -- part of the 22 -- thank you. As part of the documentation you sent, 23 there were two submittals to the NRC from NEI that 24 covered changes to both 10-04 and 13-10. And there 25 were subsequent letters which went back to NEI which NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
45 1 said that they were -- and I've read it as best I 2 could on your terminology, they were consistent with 3 what you all thought. In other words, you didn't 4 disagree with them.
5 Let me finish my thought process a little 6 bit. I'm a little bit slow here. With that thought 7 in mind, correct me if I'm wrong, the emergency 8 planning efforts are largely carried out -- correct me 9 if I'm wrong, from the emergency support center. If 10 there was a program, it's outside of the plant 11 boundaries. Am I correct on that?
12 Normally, we see an ESC that's not within 13 the plant, but it's out on the site within the 14 boundary conditions. And you need to communicate bi-15 directionally in many, many different ways. So it 16 would seem to me that this is a pretty strong area to 17 have to pay attention to since you don't want guidance 18 or requests to do certain things to be compromised in 19 those interchanges.
20 I just -- this seems to me a big threat 21 problem to me. That's why I'm asking the question.
22 Is that part of the overall -- I mean, obviously 23 you've got to do bidirectional communications all over 24 the place. You've got to let NRC know. You've got to 25 let these people know. The governor has got to know, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
46 1 et cetera.
2 That seems to be a tough challenge today.
3 Do you do it independently? Do you segregate some 4 systems or is it a combination of those?
5 MR. FERNANDEZ: Member Brown, you are 6 partially correct. Licensees, depending on where the 7 EP digital asset is located, its function, they 8 perform the analysis and then they make the 9 determination whether the EP function can be performed 10 or not.
11 If the EP function cannot be performed 12 because the digital asset is cyber compromised, let's 13 say, then the licensee is required to provide 14 protections for that particular digital asset. That's 15 the granularity that exists in the enhanced 16 methodology. Does that answer your question, Member 17 Brown?
18 CHAIR BROWN: Well sort of. I mean, it's 19 my impression if you look at what's been going on in 20 other industries today, hackers have been getting in 21 and turning things around and starting stuff that 22 shouldn't be started. Shutting down stuff that 23 shouldn't be shut down.
24 And so all of your -- my feeling is most 25 of the cyber protection functions are reactive. All NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
47 1 your virus protections are basically reactive. So 2 you're fighting the last battle. In other words, 3 you're fighting the last war that tried to get 4 through, not the current war that may come and get 5 you.
6 Are there any what I call hardened data 7 communication pathways which implement using a data 8 diode or hard-wired type stuff as a backup? It 9 doesn't have to be as extensive, but something what I 10 call a backup to the more flexible digital approach.
11 MR. FERNANDEZ: Yes, Member Brown, you are 12 correct. So there are digital assets as you have 13 mentioned that are hardened, and they may be behind 14 the data diode. Those digital assets are required to 15 be fully protected.
16 And, therefore, throughout inspections we 17 have verified that the licensee is putting all the 18 appropriate security controls, physical as well as 19 logical, in those EP digital assets that are supposed 20 to be fully protected. And all the digital assets 21 that required a certain level of protection, they also 22 rely upon performing the EP function with other means, 23 which the methodology allows licensee -- and provides 24 the flexibility to do so.
25 CHAIR BROWN: Okay. Thank you very much.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
48 1 I appreciate it.
2 MR. FERNANDEZ: Yes, Member Brown. And 3 now I will introduce my colleague, Dan Warner, who is 4 going to speak about the balance of plant digital 5 asset determination. I turn it over to you, Dan.
6 MR. WARNER: Thank you, Mario. Good 7 afternoon. And for those participating, we are on 8 Slide 10. My name is Dan Warner. And I'm an IT 9 Specialist Cyber in the Cyber Security Branch. And 10 I'm here to discuss changes to balance of plant, or 11 BoP, CDA determination guidance. BoP CDAs -- I'm 12 sorry.
13 CHAIR BROWN: This is Charlie Brown again.
14 I'm sorry to interrupt -- well, I'm not sorry to 15 interrupt. I actually have a question so.
16 MR. WARNER: Sure. Please go ahead.
17 CHAIR BROWN: I'm not quite as versed in 18 all the nomenclature inside the plants, balance of, I 19 think, in terms of, you know, rod control systems and 20 ESFAS systems, reactor trip, I call those reactor 21 safety systems.
22 But you've obviously got switch gear, 23 turbine generators. Is that balance of plant or 24 miscellaneous other pumps and valves that have to be 25 operated? I don't know where the dividing line is NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
49 1 between what I traditionally deal with and what people 2 refer to as balance. Do you have an example of what 3 balance of plant stuff is for poor little me?
4 MR. WARNER: So your balance of plant 5 stuff is pretty much the power generating portion of 6 the plant. So past any safety systems on the turbine, 7 essentially from the generator outward to the first 8 inter tiebreaker to the grid.
9 CHAIR BROWN: Okay. Okay. So it's right 10 after the generator to connect again to the grid then.
11 It's all that stuff.
12 MR. WARNER: Yes. And there are systems 13 that would be associated with the turbine that are 14 non-safety related or generator as well that would be 15 included in that.
16 CHAIR BROWN: You mean, like voltage 17 regulators and governors, I mean, those type of 18 support that actually make them run and operate or is 19 it the cooling systems for the turbine generator? Is 20 it all that stuff?
21 MR. WARNER: Yes. Some of the plants, I 22 think, define the area a little differently. But in 23 general, we typically call it the stuff that's used to 24 just actually make the power as opposed to the main 25 steam system with the reactor --
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
50 1 CHAIR BROWN: Okay.
2 MR. WARNER: -- and through there.
3 MEMBER HALNON: Charlie, think turbine 4 building.
5 CHAIR BROWN: I got it. That's a nice 6 definition. Thank you very much. Okay.
7 MR. WARNER: Thank you.
8 CHAIR BROWN: You're welcome.
9 MR. WARNER: So BoP CDAs are those CDAs 10 that were added to the scope of the Cyber Security 11 Rule during the resolution of FERC Order 706-B.
12 Industry proposed aligning the BoP CDA evaluation 13 criteria with the review NERC CIP standards, which are 14 based on impact to the bulk electric system.
15 What this means is that BoP digital assets 16 that can result in a loss of power to the bulk 17 electric system of 1,500 megawatts or less are low 18 impact and have a reduced set of cyber security 19 requirements.
20 BoP digital assets that can result in a 21 loss of power to the bulk electric system of greater 22 than 1,500 megawatts are medium impact and have a 23 greater set of controls which are similar to our 24 current BoP CDAs.
25 The grid operator can also indicate a NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
51 1 plant as medium impact under specific circumstances to 2 maintain grid operation and reliability.
3 Most BoP CDAs will end up in the low 4 impact category. This will allow licensees to reduce 5 the number of controls on a significant number of CDAs 6 and instead focus their resources on those assets with 7 a higher safety significance.
8 As you can see on the slide, we had a 9 number of public meetings to discuss the document.
10 The initial public meeting occurred in 11 January 2020 and then NEI first submitted the paper in 12 April of 2020. We addressed concerns and fed them 13 back to NEI. And they submitted a revised paper to 14 address those concerns in July of 2020.
15 FERC staff were involved throughout the 16 review of the proposed guidance changes, and they were 17 satisfied with the final document.
18 In August of 2020, NRC staff included the 19 proposed changes in the paper are consistent with the 20 requirements of 10 CFR 73.54 as well as the NRC 21 approved implementation strategies or approaches 22 described in Reg Guide 5.71 and NEI 08-09, Rev. 6.
23 And as Mario mentioned previously, these 24 changes we are discussing will all be rolled up into 25 future revisions in NEI 10-04 and NEI 13-10. And if NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
52 1 there's no questions, here's Eric Lee to talk about 2 the safety-related and important to safety white 3 paper.
4 MEMBER HALNON: Hey, Dan, this is Greg 5 Halnon.
6 MEMBER KIRCHNER: This is Walt Kirchner.
7 MR. WARNER: Okay.
8 MEMBER KIRCHNER: You are implementing a 9 FERC order. So I'm not asking you to comment on this.
10 I would just observe that the threshold of 1,500 11 megawatts is very high. I guess FERC doesn't rule 12 over ERCOT, but events in Houston would suggest a 13 lower threshold in terms of the critical importance of 14 nuclear power. You don't have to comment.
15 MR. WARNER: Okay. Thank you.
16 MEMBER HALNON: Dan, this is Greg Halnon.
17 Did you guys -- I mean, early on, there was a concern 18 that FERC and the NRC might be onsite doing different 19 types of oversight on the same systems. Did you guys 20 get an MOU or something with FERC to cover their 21 systems?
22 MR. WARNER: That is correct. When this 23 order was initially issued back in 2009, they put 24 together a Memorandum of Agreement between FERC and 25 the NRC that documents that NRC is going to be NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
53 1 cognizant of everything from the first inter-2 tiebreaker into the plant that maintains one regulator 3 within the plant.
4 MEMBER HALNON: What ongoing discussions 5 did you guys have at FERC? Do you have incoming 6 reports that you give them or any kind of assurances 7 or anything relative to your inspection process?
8 MR. WARNER: I'm going to ask Jim to chime 9 in. I know there are commission meetings between FERC 10 and the NRC, and I'm not sure if these are involved.
11 So I'll let him weigh in on that.
12 MR. BEARDSLEY: During the every two year 13 FERC and NRC Joint Commission meeting, the staff does 14 provide an update on the inspection program and what 15 we've found, but we do not have a routine reporting 16 process for FERC. If we did find significant issues 17 in a licensee site, the staff does have routine 18 communications with FERC staff, and we would inform 19 them thereof.
20 MEMBER HALNON: And I was really 21 interested in vice versa, where non-nuclear facilities 22 may come up with some issue or lessons learned or 23 other issues that may have happened from a cyber 24 perspective. How do you guys get word of that?
25 MR. BEARDSLEY: The staff has a number of NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
54 1 different liaisons with the Department of Homeland 2 Security in particular. And we're establishing 3 various lines of communication with the new Department 4 of Energy agency that's responsible for cyber, and I 5 can't remember what their acronym is.
6 And so that's really where we would do our 7 interagency liaison. We also have a full branch in 8 NSIR whose primary responsibility is intelligence 9 analysis and interagency liaison. So we have multiple 10 different lines of communication.
11 MEMBER HALNON: Okay. So is there no one 12 national clearing house that accepts all the cyber 13 issues or is that DHS?
14 MR. BEARDSLEY: That's DHS CISA, that's 15 Cyber and Infrastructure Security Agency.
16 MEMBER HALNON: Okay. And then it all 17 feeds out from that.
18 MR. BEARDSLEY: Correct.
19 MEMBER HALNON: It feeds in and feeds out 20 from there. Okay.
21 MR. BEARDSLEY: Correct.
22 MEMBER HALNON: Thanks.
23 MR. WARNER: Okay. If there are no more 24 questions then Eric, take it away.
25 MR. LEE: Thank you, Dan and good NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
55 1 afternoon. My name is Eric Lee from the Cyber 2 Security Branch. And I'm a Senior Cyber Security 3 Specialist. And I'm on Slide Number 11.
4 This white paper does safety-related and 5 important to safety white paper is a sister paper to 6 the BoP white paper that my colleague, Dan, just 7 explained.
8 Like the BoP white paper, safety-related 9 and important to safety white paper provides proposed 10 changes to NEI 10-04 and NEI 13-10.
11 As stated previously, the focus of the BoP 12 white paper is providing guidance for identifying BoP 13 CDAs that were added to the scope of the Cyber 14 Security Rule as an important to safety CDA during the 15 resolution of FERC Order 706-B.
16 However, the focus of the safety-related 17 and important to safety white paper is providing 18 guidance for identifying those digital assets that the 19 Cyber Security Rule originally intended to identify as 20 safety-related and important to safety CDAs.
21 The term safety-related is defined in the 22 regulations. However, the term important to safety is 23 not even though the term is used in the NRC 24 regulations and used throughout the history of the 25 NRC.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
56 1 As a result, everyone seemed to have a 2 picture or an idea of what important to safety systems 3 and equipment should be. But the picture that 4 everyone draws in their mind may not be the same.
5 So guidance provided in the white paper 6 aligned the term safety-related to the definition 7 provided in 10 CFR 50.2 and closely aligned the term 8 important to safety to how the NRC historically used 9 this term.
10 This ties safety-related and important to 11 safety systems and equipment for the purpose of 12 identifying safety-related and important to safety 13 CDAs to those systems and equipment that are 14 accredited to meet the licensees current licensing 15 basis to shut down the reactor, maintain it in a 16 shutdown condition and prevent the release of a 17 radioactive material during the event and accidents to 18 meet its current licensing commitments or its current 19 design basis.
20 Additionally, any systems and equipment 21 that meets the following two conditions are protected 22 as safety-related or important to safety CDAs. One, 23 any system or equipment that functionally interfaces 24 with the safety-related or important to safety 25 equipment that I mentioned earlier.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
57 1 Two, if a compromise of a cyber attack of 2 a subsystem and equipment interfacing with the safety-3 related and important to safety equipment could 4 adversely impact the safety-related or important to 5 safety function, if that is so, then they are 6 protected in the same manner as the safety-related or 7 important to safety CDA.
8 This white paper took a year to develop.
9 It began in August of 2019 when NEI and the NRC met to 10 discuss the concept of safety-related and important to 11 safety system and equipment for the purpose of 12 identifying CDAs.
13 A year later in August of 2020, the NRC 14 accepted the white paper after NEI addressed the 15 staff's comments on its white paper that NEI submitted 16 in May of 2020.
17 Staff provided its comment in a public 18 meeting in June 2020. This allowed licensees to use 19 the guidance provided in the white paper before NEI 20 updates 10-04 and NEI 13-10. Any questions?
21 MEMBER HALNON: This is Greg Halnon. I 22 have a question. It may be more for the Branch 23 Chiefs. But is this the typical regulatory process?
24 I thought typically that NEI would write a document.
25 The NRC would endorse it through a Reg Guide. But it NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
58 1 appears that we're kind of paralleling that with white 2 papers and NEI documents that are agreed to and a Reg 3 Guide that's only being used by one licensee.
4 Is that the way that we have planned this?
5 Was there some other thing behind the scenes that's 6 going on?
7 MR. BEARDSLEY: Greg, that's a good 8 question. Planning it is a little bit challenging.
9 Because we knew there were a series of changes that 10 were going to happen to these guidance documents, but 11 through the assessment process and the feedback we 12 received from stakeholders, we recognize that these 13 were areas that we felt were important to be 14 addressed.
15 The industry elected to submit a series of 16 white papers while it's trying to update the documents 17 in a sort of parallel fashion, which would have been 18 very challenging.
19 So it does seem a little strange the way 20 it played out. But it provided the industry the 21 feedback in these areas more quickly than they would 22 have had we had to wait until the guidance documents 23 had been updated for each one individually.
24 When they're done, which we are done now 25 with all four of the white papers, industry is NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
59 1 preparing a comprehensive update to each of these 2 guidance documents. And the staff will have the 3 opportunity to review that in total.
4 MEMBER HALNON: Do you anticipate you'll 5 endorse those through a Reg Guide or some other more 6 established mechanism?
7 MR. BEARDSLEY: As a general practice, we 8 have not endorsed the NEI guidance documents for cyber 9 through Reg Guide. We have accepted them for use by 10 letter.
11 MEMBER HALNON: Okay. That seems like a 12 one-off as well but maybe it's been done in the past.
13 I just didn't know.
14 CHAIR BROWN: If you've accepted those --
15 I tried to look at some of these white papers. I 16 couldn't define everything. I was looking for the 17 ones that defined these safety-related and important 18 to safety functions. And I was trying to get a 19 definition of what that was. I didn't see a clear 20 definition of what somebody claimed to be safety-21 related or any examples. Was that deliberately left 22 out in terms of providing examples for what that 23 means? It's pretty wordsmithed in most of the places 24 I was able to find.
25 MR. BEARDSLEY: So just for context, this NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
60 1 particular white paper is different than the other 2 three in that we wrote a number of inspection findings 3 in this area because the licensees had underprotected 4 the systems. So they had classified systems that we 5 felt should have had a full suite of controls as 6 having a lesser suite of controls.
7 And so the goal of this effort was to be 8 very clear to industry on what needed to be protected 9 more and what needed to be protected less. And I 10 think Eric would agree with me that the result is more 11 systems will be protected as a result of this part of 12 the initiative.
13 MR. LEE: And certainly, Member Brown, to 14 your point, to help the licensees and the inspectors 15 understand what systems and equipment should be 16 considered safety-related and important to safety for 17 the purposes of identifying critical digital assets, 18 we have provided the 10 steps to identify what systems 19 are considered safety-related and what systems are 20 considered important to safety CDAs.
21 CHAIR BROWN: Are those in the white 22 papers? One white paper I found on safety-related 23 versus and affected -- I guess, it was an NEI document 24 dated July 17, 2020, and it showed changes to NEI 10-25 04 and 13-10. And it was all related to the -- let me NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
61 1 get the title correct so I don't mess that up --
2 safety-related and items important to safety.
3 But they refer to things like integrity, 4 the reactor coolant boundary, the capability to shut 5 down. Some of that didn't change. But then a lot --
6 there were a lot of red markups when you got to the 7 changes which didn't seem to relate.
8 I'm kind of echoing Greg's thought 9 process. It seemed backwards. I would have expected 10 instead of these things showing up in industry 11 documents, I would have thought that they would have 12 ended up being categorized within, you know, 5.71 or 13 something like that to categorize this particular 14 terminology to make sure there was one consistent NRC 15 document that told people what was what, what was 16 safety-related and what qualified as important to 17 safety. But as opposed to that, you have to now go to 18 all these other documents.
19 I haven't read any of the revisions. I've 20 tried to look through parts of the new 5.71, but it's 21 increased considerably in size from 114 pages to 144 22 or something like that. So it got a little bit 23 difficult to go side-by-side and compare them.
24 So it just seemed a little bit backwards.
25 I guess that's a little bit of a concern is how well NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
62 1 is this stuff defined?
2 MEMBER KIRCHNER: This is Walt. Eric, is 3 this defined in your white paper?
4 MR. LEE: Yes, sir.
5 MEMBER KIRCHNER: Did you see any of that, 6 Charlie?
7 CHAIR BROWN: The only paper I had that I 8 saw was a white paper on this was an NEI Document 9 E200-717-TE040841 dated 7/17/20, changes to the NEI 10 documents. And I didn't see another white paper in 11 anything we got. I saw then there was a response to 12 that.
13 MEMBER KIRCHNER: Well, Charlie, this is 14 a side observation, but this is very important and 15 useful for 10 CFR 53 deliberations because clearly in 16 10 CFR 53 draft rule language, they're going to have 17 to deal with definitions.
18 This approach that Eric has described 19 strikes me as a functional approach that could be, you 20 know, getting beyond the 10 CFR 50.2 definition of 21 safety-related to a more generic technology inclusive 22 definition. What the staff has done here might be 23 very relevant to the 10 CFR 53 development.
24 MR. BEARDSLEY: Yes, we'll be discussing 25 at a high level our first 10 CFR 53 cyber security.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
63 1 But I think that -- I agree that the appearance of 2 just looking at the white papers can be confusing. We 3 will be receiving a markup of the guidance documents 4 from NEI in the next few months. And I think that 5 once you see all of the changes associated with the 6 document, it will be much clearer how this all works.
7 And so what industry is going to do is 8 they take the white paper that Eric addressed and then 9 they'll go implement the changes in the white paper to 10 their own implementing procedures, which are based on 11 the NEI guidance documents.
12 So it's clearer to the user than it is to 13 maybe the casual reader.
14 MEMBER KIRCHNER: Yes. But for our 15 purposes put the NEI aside that's more of an industry 16 position. It's the staff's position that I'm the most 17 interested in. Is this white paper available to us?
18 MR. BEARDSLEY: Yes. It's the paper that 19 Member Brown mentioned a moment ago.
20 CHAIR BROWN: If that's the July -- that's 21 the July 23 -- that letter number that I wrote or 22 referenced? I think it was the E200-717-T040841 of 23 7/17/20?
24 MR. BEARDSLEY: We'll verify that for you 25 and make sure that you have the right one. I believe NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
64 1 that is correct.
2 CHAIR BROWN: It was about 19 pages long.
3 And it had a lot of red inside the document. And 4 those changes were to NEI 10-04 and then I think at 5 the very end, they got into 13- --
6 MR. BEARDSLEY: 13-10, correct.
7 CHAIR BROWN: -- 13-10, correct. But they 8 referenced, I guess, one of the sets of words that I 9 had highlighted where they had talked about stuff that 10 could be thrown in to some other category. I couldn't 11 figure it out.
12 It was examples of equipment that does 13 something. It would be electrical equipment powered 14 from the 1E tire supplies and are classified under the 15 1.97. So it started tossing around Reg Guides like 16 candy at a child's party. I lost track of what was 17 going on.
18 I wasn't able to read that entire white 19 paper and understand it relative -- I just got the NEI 20 document a day or so ago. So it just seems --
21 (Simultaneous speaking.)
22 MEMBER KIRCHNER: Well, Charlie, I'm just 23 repeating myself, but the staff's position is what I'm 24 interested in --
25 CHAIR BROWN: Yes.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
65 1 MEMBER KIRCHNER: -- not a markup by NEI.
2 CHAIR BROWN: This is NEI's document. I 3 agree with you.
4 MEMBER KIRCHNER: This is a fundamental 5 important thing in developing the10 CFR 53 rule.
6 CHAIR BROWN: I agree with you. It's just 7 a matter of how do you get these things integrated 8 together? And you don't want to develop another rule 9 that has another set of terminology that you have to 10 deal with so. Okay. So we're informed of what you're 11 doing. Any other questions before we move on? Okay.
12 Eric.
13 MR. LEE: Thank you. Now, here is Brian 14 Yip to talk about the security white paper. Brian?
15 MR. YIP: All right. Thanks, Eric. Good 16 afternoon. My name is Brian Yip. I'm a Cyber 17 Security Specialist in the Cyber Security Branch in 18 NSIR. And I'm going to talk about the final white 19 paper for this afternoon, which addresses critical 20 digital assets related to physical security systems.
21 And like the others, it proposes changes 22 to NEI 10-04 and NEI 13-10 to clarify guidance on how 23 to identify physical security critical digital assets 24 and the appropriate controls to apply to them. And I 25 focused on four areas.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
66 1 First, it tied the definition of a 2 physical security function, you know, when we talk 3 about safety security and emergency preparedness 4 functions, it tied the physical security functions to 5 the physical security regulations in 10 CFR 73.55(b).
6 So, for example, access control systems, 7 physical barriers, you know, alarm intrusion detection 8 systems, assessment systems, so it makes clear the 9 list of physical security functions that need to be 10 protected from a cyber perspective.
11 The paper also provides guidance on what 12 it refers to as digital security tools. And these are 13 devices that licensees in some instances use such as 14 like a digital range finger or a digital rifle scope.
15 These are things that may be used from a security 16 perspective but don't really meet the intent of 17 performing a security function.
18 So the paper gives licensees a guidance 19 that if they evaluate these devices, they would still 20 need to evaluate them. And they confirm that the 21 device does not perform a security function and that 22 it cannot adversely impact -- the compromise of it 23 could not adversely impact a safety security or 24 emergency preparedness function, then they don't need 25 to consider those devices to be critical digital NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
67 1 assets.
2 The paper also gives licensees an 3 alternative means to address security support systems.
4 An example of that would be an HVAC system that 5 provides cooling to the central alarm station or the 6 security computers.
7 And similar to the approach taken with 8 emergency preparedness, if licensees establish 9 procedures and training to implement alternate means 10 to provide that support function and they do it in a 11 way that prevents an adverse impact to the security 12 function that it's supporting, then that device 13 performing a support function does not need to be 14 protected as a CDA.
15 And lastly the paper provided additional 16 guidance on the protection of digital assets used for 17 access authorization. So computers used for 18 background checking programs, granting access to the 19 plant, et cetera.
20 And it addressed a number of different 21 configurations and scenarios that we see with 22 licensees in the field. Some licensees protect their 23 digital assets for access authorization at the highest 24 levels of their network. Others rely on offsite 25 corporate assets to perform some access authorization NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
68 1 functions. So this paper provides additional guidance 2 on how licensees should classify and protect those 3 digital assets in each case.
4 It also describes how licensees must 5 verify the data integrity if they take access 6 authorization data, such as somebody was approved for 7 plant access, all that badging information, when it's 8 transferred onsite to the plant security computer, it 9 gives licensee's requirements that they have to 10 perform a secondary verification to make sure that 11 data integrity was maintained when that data was 12 transferred to the plant security computer.
13 On further review of this white paper, we 14 had some initial discussions with NEI in mid to late 15 2020 and then NEI submitted a draft in December 2020.
16 We held a public meeting in January 2021, 17 and provided NEI with comments, staff comments in 18 April of 2021.
19 Our comments centered around ensuring that 20 there was sufficient detail in the access 21 authorization section to ensure proper implementation 22 that covered all of the various licensee 23 configurations that we've seen and also ensured that 24 there was sufficient detail in the security support 25 system guidance to ensure that it protected against NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
69 1 adverse impact to the security functions that it's 2 supporting.
3 NEI submitted another revision that we 4 reviewed and found consistent with the NEI 08-09 in 5 June of this year. And as with the other white 6 papers, licensees can implement these changes now or 7 they can, you know, wait for the full revision to NEI 8 10-04 or NEI 13-10 if they wish.
9 Any questions on physical security? Okay.
10 With that, I'll turn it back over to Jim. Thank you.
11 MR. LEE: Jim, you are muted.
12 MR. BEARDSLEY: That was going to happen 13 eventually. As I noted earlier, when the staff 14 performed our program assessment in 2019, the Office 15 of Inspector General also conducted an audit of the 16 cyber security inspection program at the same time.
17 And both of those processes identified opportunities 18 to further performance inform our inspection program.
19 The staff has taken the lessons learned 20 from our full implementation inspections conducted 21 from 2017 through 2021 and developed a new inspection 22 procedure that will be incorporated into the reactor 23 oversight process inspection cycle.
24 The inspections have been shortened from 25 two weeks to one week and will be conducted on a two NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
70 1 year basis versus a three year basis.
2 The inspections will be based on having 3 two regional inspectors and two subject matter expert 4 contractors similar to the inspections we've conducted 5 to date.
6 We are providing opportunities in the 7 inspection procedure for licensees to provide the 8 staff with performance metrics information or 9 potentially performance testing information on 10 replicas of their systems. If they do that, the staff 11 will evaluate the information and may reduce the 12 resources assigned to the inspections.
13 The staff hopes to have this inspection 14 procedure approved in August and plans to conduct a 15 series of public meetings with industry and 16 stakeholders to discuss implementation of the 17 inspection procedure prior to the start of inspections 18 in January of 2022.
19 Are there any questions about our future 20 inspection program? Okay. I will be followed by 21 Juris Jauntirans, who will discuss our cyber security 22 efforts associated with the Part 53 rulemaking 23 program.
24 MR. JAUNTIRANS: Good afternoon. As Jim 25 said, my name is Juris Jauntirans. I'm a Cyber NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
71 1 Security Specialist within the Cyber Security Branch.
2 During my portion of the brief, we will be on Slide 3 14.
4 In Part 53, NSIR staff aims to develop a 5 technology inclusive regulatory program for advanced 6 reactors that applies a performance-based graded 7 approach for a comprehensive range of security areas, 8 including physical security, cyber security, 9 information security, fitness for duty and access 10 authorization.
11 This proposed regulatory framework will 12 offer applicants flexibility to rightsize the program 13 by providing performance-based requirements that are 14 commensurate with the risk to public health and 15 safety. Both of the physical security and the cyber 16 security sections in Part 53 are going to point to new 17 sections within Part 73 and for cyber security, that's 18 going to be Part 73.110.
19 In this new section of Part 73, the staff 20 specifies cyber security requirements for the 21 protection of digital computers, communication systems 22 and networks for advanced reactors. And we presented 23 the proposed language at a June 10 public meeting.
24 While 10 CFR 73.54 provides a good 25 framework for cyber security operating reactors, the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
72 1 staff feels that advanced reactors require a more 2 flexible approach to adapt to the wide variety of 3 technology that advanced reactors could potentially 4 represent.
5 CHAIR BROWN: Why?
6 MR. JAUNTIRANS: With that in mind -- I'm 7 sorry.
8 CHAIR BROWN: Why? I mean, a reactor is 9 a reactor. Why does an advanced reactor -- why does 10 it need more flexibility than the regular reactor 11 plants that we have today?
12 MR. JAUNTIRANS: We were given the task --
13 CHAIR BROWN: That's the next statement.
14 MR. JAUNTIRANS: Okay. That's a good 15 point, sir. We were given the task to develop a 16 graded approach because of the variety of 17 technologies.
18 We can go from a very, very small source 19 term, very, very small reactors all the way to 20 something that's as big or larger than the current 21 light-water fleet and because the varied types of 22 control systems that a cookie-cutter approach from 23 73.54 would not necessarily be the best approach. And 24 we are currently in a draft. And we would be happy to 25 accept any other --
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
73 1 CHAIR BROWN: Did we lose you?
2 MR. JAUNTIRANS: -- on the draft rule.
3 CHAIR BROWN: Why in the world would the 4 cyber security requirements be worried about whether 5 you had a low source? I mean, you don't want a 6 reactor plant regardless of the source term to be 7 hacked, destroyed, rendered, you know, unusable or be 8 dangerous in any way, shape or form than it regularly 9 would. Just because it may not contaminate as large 10 of an area, we let guys freewheel in and do what they 11 -- I'm being facetious a little bit with my statement.
12 I'm overstating the point just to make the point.
13 It just doesn't seem to make sense that 14 source term would be used to define the level of cyber 15 security or the allowance for less or a more 16 penetrable type cyber security then you would involve 17 on a large light-water reactor.
18 MR. JAUNTIRANS: So source term is not the 19 only criteria. And I believe Michele Sampson here has 20 appeared on the screen. I think she's got something 21 to add here.
22 MS. SAMPSON: Thanks so much, Juris. I 23 just wanted to make the point that our intent in the 24 Part 53 rulemaking effort is to provide an equivalent 25 level of safety and to develop regulations that are NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
74 1 technology inclusive.
2 So we certainly are not looking to provide 3 anything that would be a lower level of safety. The 4 regulations will provide an equivalent level of safety 5 but also provide a performance-based approach that 6 will enable or ensure that applicants consider the 7 range of, you know, potential hazards that may exist 8 with the different technology designs.
9 So, you know, it's certainly not our 10 intent that the regulation is lesser. It is just 11 technology inclusive and very performance based.
12 CHAIR BROWN: Well, all of these were 13 performance based. I mean, the stuff we are putting 14 in today are performance based. They are technology 15 inclusive, and they are technology neutral. You can 16 do them multiple different ways. So those words, 17 pardon my French, seem to be injected into a lot of 18 these different conversations these days relative to 19 what we're doing.
20 The connection we have in general is stuff 21 that's going to be the same across platforms, we 22 shouldn't make them different or think they should be 23 -- this is a personal opinion now. This is not a 24 committee opinion. I want to make that clear.
25 I just have a hard time understanding why NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
75 1 we can allow a wireless connection into a plant where 2 it can be totally hacked and melted down because it's 3 an advanced reactor, because it's got a little source 4 term, I'm saying that speculatively, when we wouldn't 5 allow that type of stuff in a large light-water 6 reactor.
7 It's just the thought process. I think we 8 have to -- there are some things you have to protect 9 against. And cyber is a very vulnerable area on any 10 plant that we put out in the field that NRC puts their 11 name behind.
12 MEMBER BLEY: Charlie?
13 CHAIR BROWN: Yes.
14 MEMBER BLEY: They haven't said they are 15 going to allow wireless on a new plant. They said 16 they're going to maintain the same level of safety.
17 And I'll take you back to a meeting we had a couple 18 years ago on this topic when you very much, and I was 19 with you, were worried that the level of effort we 20 were forcing people into and looking at critical 21 assets was going to cost more than is reasonable.
22 And I personally see if there's a low 23 chance of harm, we don't need to pour as much effort 24 in as if there's a high chance of harm. And I'd give 25 them the chance to come up with something. Now NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
76 1 they're saying they will maintain the same level of 2 safety. We've got to see what that means. But 3 dismissing that as not possible at least to me doesn't 4 seem reasonable.
5 CHAIR BROWN: I'm thinking more of access 6 than I am anything else. And I agree with you. I've 7 always worried that we can overdo the CDA routine and 8 beat the licensees to death. You're correct. I've 9 said that before, and I will say that again right now.
10 I don't want to impose.
11 I like to categorize systems, those that 12 really are related to safety. And those that aren't 13 -- so they get compromised, you can recover and don't 14 worry about it because you just may lose some data.
15 You may lose some of this. But the world is not going 16 to end.
17 And I've always worried that we've applied 18 too many rules to stuff that don't need a lot of 19 rules. So it's a double-edged sword, but I don't like 20 -- I'm just worried about people thinking access can 21 be maybe a little bit easier because the outcome or 22 the results may not be as bad.
23 And I just think it's bad for any reactor 24 plant to be viewed as a potential hazard. It's hard 25 enough getting them built these days without adding NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
77 1 impressions to people that they're just not as safe as 2 they used to be. It's just a thought -- that's just 3 my thoughts. That's all. I'm not trying to -- I'm 4 just trying to make this to be thoughtful and not get 5 carried away. That's my only thrust.
6 MEMBER HALNON: So, Charlie, this is Greg.
7 I understand where you're going with that. And I'm 8 kind of looking at it from a different perspective 9 that the new look at it from this performance based, 10 maybe we'll have a conversation in the future how that 11 could apply based on lessons learned and higher levels 12 of knowledge that we had in the '08s and '09s time 13 frame based on, you know, the contemporary cyber 14 knowledge. Maybe we will have a conversation on how 15 this could apply to the large light-waters in the 16 future as opposed to just the smaller reactors.
17 Kind of like what Dennis said, I'm kind of 18 just anticipating an interesting conversation on the 19 other end, why couldn't this apply to the bigger 20 plants as opposed to, you know, what you're saying is 21 why can't the bigger plants comply to the advanced 22 reactors? So anyway, that's my thoughts. That's what 23 you sparked.
24 CHAIR BROWN: I don't disagree with you 25 from that thought process. My fundamental thought NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
78 1 when we do our design reviews, primarily my focus is 2 on the reactor trip, safeguards, ECCS and the 3 functions that they control to ensure the plant is 4 safe. And there's a plethora of other equipment out 5 there that don't really require that level of 6 protection.
7 MEMBER HALNON: Okay. Yes, I agree, and, 8 you know, clearly the balance of plant stuff for the 9 smaller reactors will be in a different neighborhood 10 --
11 CHAIR BROWN: Absolutely.
12 MEMBER HALNON: -- so.
13 CHAIR BROWN: Absolutely. But yet one of 14 the big concerns in the power supply type world is 15 with operators going to Internet controls of their 16 remote stations, you have just set yourself up for a 17 massive grid shutdown because it's very difficult to 18 protect those assets cyber-wise. I mean it's a 19 continuing threat. And you're always fighting 20 yesterday's battle.
21 MEMBER HALNON: Well, and this brings us 22 back to the potential discussion of autonomous 23 operation. You're talking about wanting to be fearful 24 of something that could happen bad is no one would 25 even be watching it.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
79 1 CHAIR BROWN: Yes. Yes, we mentioned that 2 before. It's another one of my big concerns.
3 MEMBER HALNON: Yes.
4 CHAIR BROWN: All right. I'm sorry I just 5 -- you can tell that this stuff is dear to my heart 6 so.
7 (Simultaneous speaking.)
8 MEMBER KIRCHNER: I think, Charlie, this 9 conversation sooner or later is going to have to 10 include a conversation about operators and where 11 they're located and how they're licensed, et cetera, 12 et cetera, and physical security.
13 I kind of view it as kind of like a Venn 14 diagram of sorts because for those micro reactor 15 concepts and other concepts that aren't likely to be 16 large megawatt plants, what they are envisioning is 17 entirely different than what we expect of, you know, 18 a large power plant in terms of are there operators or 19 physical security and the cyber security aspects, 20 especially if they're "to be remote operated."
21 MEMBER MARCH-LEUBA: Yes. But let's not 22 relax the requirements for the 3,000-megawatt plant 23 because there is an assumed 1 megawatt plant out there 24 that may want to do something different.
25 We tend to write our regulations to the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
80 1 lowest common denominator, which is the best plant, 2 which is the 1 megawatt plant. But we still have to 3 deal with the 3,000. That was just a comment.
4 I wanted to bring back to the discussion 5 this line, which is Part 53. In my opinion, the 6 biggest qualitative change in Part 53 is the 7 interaction of Tier 1 and Tier 2 safety goals. Okay.
8 And what we've done is move all of the 9 safety off to Tier 2. And anything that is in Tier 2 10 is non-safety grade. So you guys have the experience 11 of operating reactors with almost all SSCs are safety 12 grade, and you have to protect them.
13 When you look at that 53 license plant, 14 they may not have a single safety grade component, not 15 one, because of the way they have it under Tier 1 and 16 Tier 2. And you need to think about it because I 17 don't like it. I'll put it on the record. You guys 18 please do think about --
19 MEMBER PETTI: Jose, I really wish you'd 20 stop interpreting and reading into 53 things that 21 aren't there. I've seen a ton of plants. They all 22 have safety systems. Okay? To say that they would 23 have no safety systems is an exaggeration and doesn't 24 affect the operation.
25 MEMBER MARCH-LEUBA: I will go to the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
81 1 transcript and say where the staff said that. I will 2 find it for you.
3 MEMBER MARCH-LEUBA: The staff said some 4 of this is more than one --
5 MEMBER PETTI: The staff is recommending 6 getting rid of the concept of Tier 2, which means that 7 all of the requirements would just be there so.
8 MEMBER MARCH-LEUBA: And I don't know.
9 And we are, too, ACRS put it on the record.
10 MEMBER PETTI: Yes. So that's just not --
11 MEMBER MARCH-LEUBA: So right now it is 12 there. Okay? So if you are writing a cyber security 13 policy for Part 53, you have to assume, today, that 14 there's a Tier 1 and a Tier 2. And a very small low 15 power reactor with very good fuel cannot possibly 16 produce 25 rem at the boundary. Under 4, you don't 17 need anything for safety grade. And they told us that 18 yesterday.
19 MEMBER KIRCHNER: So you're throwing that 20 position, Jose, that I don't think is a likely outcome 21 from a staff review of an application.
22 MEMBER MARCH-LEUBA: They told us that 23 yesterday.
24 MEMBER KIRCHNER: Remember, you still have 25 to, as a previous presenter today said, you have to NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
82 1 shut down the reactor and maintain it in a shutdown 2 condition and you have to protect efficient product --
3 MEMBER MARCH-LEUBA: Nope, nope, nope, 4 nope, nope, nope, nope. Control reactivity is Tier 2.
5 MEMBER KIRCHNER: No. It is not.
6 MEMBER MARCH-LEUBA: It is. Look at it.
7 Check it out. Tier 1, and we'll discuss it in Part 8 53. I apologize to these other guys. Tier 1 is only 9 control of heat ventilation (phonetic).
10 CHAIR BROWN: That's okay. Can we resolve 11 that and get on with this particular discussion? I 12 think we ought to get that one cleared up so we all 13 understand that, Jose and Walt so and Dave. So I 14 agree. We ought to --
15 MEMBER PETTI: Let's table that and keep 16 going, Charlie.
17 CHAIR BROWN: Yes. That's what I'm 18 planning on doing that right now. Okay. Go ahead.
19 I'm sorry about that.
20 MR. JAUNTIRANS: No worries. Thank you.
21 I think it's a good valuable discussion for everybody 22 to hear. Thank you.
23 So with the flexibility that we've 24 previously discussed, in lieu of requiring advanced 25 reactor licensees to protect against cyber-attacks up NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
83 1 to and including the design basis threat as required 2 for power reactors in 10 CFR 73.54, the proposed new 3 section implements a graded approach at the cyber 4 security program and security controls implementation 5 level.
6 A greater approach based on consequences 7 is intended to account for the differing risk levels 8 within advanced reactor technologies. Specifically, 9 the new section requires licensees to demonstrate 10 reasonable assurance of cyber security protection 11 against cyber-attacks only if such attacks would lead 12 to a consequence as defined in the proposed rule.
13 The proposed new section leverages the 14 operating experience from power reactors. The 15 proposed regulations for fuel cycle facilities as well 16 as 10 CFR 73.54 framework as it contains some of the 17 basic requirements needed for cyber security 18 regardless of reactor type.
19 It's also informed by the NRC's Office of 20 Nuclear Security's Incident Response Interagency 21 interface efforts associated with cyber security.
22 Differences between the 10 CFR 73.54 23 requirements and those discussed in the proposed new 24 section are primarily based on the implementation of 25 the graded approach used in the Part 53 construct to NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
84 1 accommodate the wide range of technologies to be 2 assessed by the NRC.
3 The proposed new section currently 4 includes two consequences which are related to 5 advanced reactors physical security requirements in 6 Part 53.
7 The first consequence seen here on the 8 left side, the second box from the top, deals with the 9 topic of radiological sabotage. Specifically, it 10 deals with the scenario where the cyber-attack leads 11 to offsite radiation hazards that would endanger 12 public health and safety.
13 CHAIR BROWN: We lost you or you're muted.
14 MR. JAUNTIRANS: Yes. Somebody muted me 15 there. Okay.
16 CHAIR BROWN: Yes.
17 MR. JAUNTIRANS: All right, anyway. So it 18 specifically deals with -- it's the consequence 19 exceeding specific dose value criteria from Part 53.
20 At the current time, it's tied to Part 53 first tier 21 safety and criteria.
22 The second one, which would be the bottom 23 box on the left side, that consequence deals with the 24 topic of theft or diversion. Specifically, it deals 25 with the scenario where the cyber-attack adversely NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
85 1 impacts digital assets used by the licensee for 2 implementing the physical security requirements for 3 special nuclear material, source material and 4 byproduct material in Part 53. This is tied to the 5 Part 53 physical security rules for advanced reactors.
6 And that is linked with Part 37.
7 As a part of the Part 53 rulemaking 8 efforts, the staff is seeking formal feedback from all 9 stakeholders on whether any additional consequences 10 should be included in the new section. And as of 11 present, we have not received any feedback in that 12 regard.
13 The primary feedback we've received has 14 been about the Tier 1 safety criteria. I don't have 15 that at this present time. But that's the most 16 feedback we've gotten at this time.
17 The remainder of the rule resembles 10 CFR 18 73.54 in many ways while implementing the graded 19 approach as previously discussed. And are there any 20 more questions? Okay. I'd like to turn it back to 21 Jim for discussion on the PRM.
22 MR. BEARDSLEY: Thank you, Juris. In 23 2019, when the staff briefed the Subcommittee -- there 24 we go -- we noted the fact that NEI had submitted a 25 Petition for Rulemaking to change the Cyber Security NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
86 1 Rule in 2014.
2 The staff has reviewed that rule over the 3 course of the last few years. And in 2019, a decision 4 was made to hold off on a decision until the staff had 5 completed the efforts associated with our internal 6 self-assessment and the action plan that we discussed 7 earlier in this presentation.
8 The staff has since made a recommendation 9 to the Commission and the Commission has yet to 10 complete their decision-making on the petition. And 11 we expect to hear from the Commission sometime this 12 month or early next month. Any questions about the 13 Petition for Rulemaking?
14 CHAIR BROWN: Yes, Jim. Is that the 73.54 15 rule or --
16 MR. BEARDSLEY: It is. It was a petition 17 -- PRM 73.18 dealt with the content and construct of 18 73.54.
19 CHAIR BROWN: We haven't been involved in 20 that, at least I haven't been at that point. Can you 21 give us a little bit of the thrust of the NEI? I know 22 we've got the Petition here, but I didn't get to that 23 part. I was looking at the other parts.
24 MR. BEARDSLEY: Sure. Big picture, NEI's 25 point was that the industry had overincluded digital NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
87 1 assets in their cyber security programs, which could 2 potentially distract them from focusing on those 3 assets with a higher risk or a higher significance.
4 And they believe that the rule should be rewritten to 5 reduce the overall scope.
6 The staff reviewed that in light of the 7 fact that it is a performance-based rule. The staff 8 has, you know, done evaluations and in particular, as 9 a result of the action plan, has been working with 10 industry to try and look hard at the decision-making 11 process on what digital assets need to be included in 12 the program and those that have not. And those are 13 the areas we talked about earlier in our presentation.
14 MEMBER KIRCHNER: Jim --
15 CHAIR BROWN: Have you provided a 16 recommendation -- just a minute, Walt. Have you 17 provided a recommendation to the Commission or --
18 MR. BEARDSLEY: The Petition Review Board 19 did provide a recommendation to the Commission. And 20 the Commission has yet to respond to the staff.
21 CHAIR BROWN: Was the staff involved in 22 that? I mean, like --
23 MR. BEARDSLEY: The Petition Review Board 24 was made up of staff, yes.
25 CHAIR BROWN: Okay. Folks that were NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
88 1 familiar with the cyber security requirements in 5.71 2 and what fell out of the rule in terms of actual 3 execution?
4 MR. BEARDSLEY: Right. As with all 5 petitions, you have a multidisciplinary team that 6 makes up the overall evaluation.
7 CHAIR BROWN: All right. Thank you. Yes, 8 Walt, I interrupted somebody.
9 MEMBER KIRCHNER: No. It was along the 10 same lines, Charlie. I was just thinking 2014 is a 11 long time ago. Both the industry and the staff have 12 come a long way, the staff, in implementing its 13 program plan. Does the industry still feel like the 14 rulemaking is necessary given where we are in 2021?
15 MR. BEARDSLEY: I couldn't say. You would 16 have to ask industry.
17 CHAIR BROWN: Okay. Any other questions 18 on this subject? All right. Why don't we roll on, 19 Jim.
20 MR. BEARDSLEY: Absolutely. We talked 21 about Regulatory Guide 5.71 a number of times over the 22 course of the brief. Just to point out, the Reg Guide 23 was published in 2010. In 2016, the staff initiated 24 an update to the Reg Guide.
25 And in 2018 and 2019, it was recognized NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
89 1 that the staff and industry, through our assessment 2 and as a result of inspection lessons learned, had 3 found a number of areas that probably should be 4 included in the draft guide or the Revision 1 to the 5 Reg Guide. So we put that draft on hold in 2018 and 6 picked it up again just this past year in 2021.
7 The staff has completed the update of the 8 Reg Guide based on the information they had to date.
9 And that update included the implementation of the 10 industry white papers, which we talked about earlier 11 in this presentation, clarification on insights gained 12 from operating experience in both national and 13 international cyber security standards, updated text 14 to discuss risk-informed cyber security evaluation 15 methodologies and updated texts based on the 16 resolution of public comments that were received when 17 the draft guide was last released publicly in 2018.
18 The staff intends to release this version 19 of the draft guide for public comment in the near 20 future and will hold multiple public meetings 21 associated with that public review process.
22 The current schedule has the Revision 1 to 23 Reg Guide 5.71 being published sometime in the spring 24 of 2022. Any questions about the revision to the Reg 25 Guide 5.71?
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
90 1 MEMBER HALNON: Jim, this is Greg Halnon.
2 I realize that it looks like a lot of effort for 3 revising a Reg Guide that one licensee is using for 4 one plant that's not even operating yet. What is the 5 industry looking at?
6 Are they looking at helping you get this 7 to where it needs to be so we can use 5.71 8 consistently across the country and satisfy our 9 earlier concerns about so many documents with so many 10 different definitions and whatnot or is this going to 11 just be a continuing saga of just one licensee using 12 it?
13 MR. BEARDSLEY: So based on the feedback 14 I received from industry, I don't believe that the 15 licensees are going to change their Cyber Security 16 Plans because the draft guide isn't changing the 17 template for the Cyber Security Plan significantly.
18 Our goal with updating the Reg Guide is to 19 incorporate the lessons that we've learned over the 20 years and really look hard at both national and 21 international standards and make that information 22 available to future licensees.
23 So the Rev 1 to Reg Guide 5.71 is arguably 24 tailored towards the information for future licensees.
25 MEMBER HALNON: So future Part 50 and 52, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
91 1 right.
2 MR. BEARDSLEY: Future Part 50 and 52, 3 right. We are engaged in a parallel Regulatory Guide 4 development as part of Part 53, which will also 5 include a significant amount of the information we've 6 included in Reg Guide 5.71.
7 MEMBER HALNON: Okay. I think my concern 8 is that there's just a lot of parallel efforts going 9 forward and a lot of parallel documents. You know, 10 there are multiply different licensees using them in 11 different ways.
12 I mean, ultimately, they're all getting to 13 where you want to be. I get that. But the concern is 14 that it's a lot of effort when there's, I mean, both 15 on your side and the industry side to get this 16 document updated.
17 And I agree it's for future licensees.
18 But I'm not sure how many more there's going to be 19 under Part 50 and 52 that it would make all this 20 effort worth it.
21 So anyway, I got to go back and look at 22 the whole plethora of documents again and just see how 23 it all fits together. So thanks. And I'll hold my 24 comments until later.
25 MR. BEARDSLEY: Any other questions on our NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
92 1 Regulatory Guide 5.71 update?
2 CHAIR BROWN: Yes.
3 MR. BEARDSLEY: Okay.
4 CHAIR BROWN: I don't want to do a 5 detailed -- I'm not trying to do a detailed -- I'm 6 always curious about 5.71 so I did take some time and 7 compare the original revision from 2010 to the new 8 update.
9 The new update has some good stuff in it, 10 okay, some references to unidirectional, hardware 11 based, non-software controlled, et cetera, et cetera.
12 Good lessons learned from all the design applications 13 we've gone through.
14 It also has some stuff that's not so good.
15 And you probably knew I was going to say that 16 somewhere. For instance, the old one, and I'm not 17 going to go through a lot. It's just an example. The 18 old one prohibited bidirectional communications or any 19 communications from lower levels of security to the 20 more secure levels, in other words from Level 2 to 21 Level 3 or 4.
22 MR. BEARDSLEY: Mm-hmm.
23 CHAIR BROWN: And they do it on a denial, 24 permit by exception basis. It's just all kinds of 25 weasel words whereas before you weren't able to do NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
93 1 that with bidirectional or even unidirectional from 2 the lower safety to the higher safety systems. That's 3 not good.
4 But like I said, is that countered by some 5 of the other good stuff? I don't know what else is in 6 there. It would certainly behoove to get us and you 7 all on the same page before you go out with this.
8 That's all. I don't know what your overall plans are 9 but --
10 MR. BEARDSLEY: Sure.
11 CHAIR BROWN: -- we really probably ought 12 to -- and it's also about -- let me see. It's at 13 least 55 pages or 45 pages longer than it used to be.
14 So I'm worried about complexity being added into it 15 now as well. Does that mean more requirements or 16 what? So what you --
17 MR. BEARDSLEY: So the section of the 18 regulatory guide that details the licensee's cyber 19 security plan has not changed very much at all. There 20 are a few changes that we approved for industry over 21 time that are incorporated. So the majority of the 22 new information is program level guidance on sort of 23 how you would look at a program.
24 And also the initial Reg Guide was based 25 on the National Institute of Standards, cyber security NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
94 1 standards, at the time in 2009, 2008. Those standards 2 have changed significantly over the last 10 years.
3 And so we've looked at those and tried to incorporate 4 the lessons from those standards as well in addition 5 to look at some international standards.
6 So there's a lot of information there, I 7 agree. And it is a significant change. But there is 8 good information in there for users.
9 CHAIR BROWN: I saw some. I told you all 10 right up front, I saw some stuff that was much better 11 than the previous words. But I'm also -- every time 12 somebody says we've updated the new standards, and the 13 new standards are more what I would call less safe, 14 like communicating from low level to high level, high 15 security level stuff, that was totally prohibited and 16 was looked at, you wouldn't do that before and now 17 it's allowed, fundamentally allowed, although you say 18 they're going to have to jump through hoops to do it.
19 I don't know what else is in there like 20 that. That's why I think a little bit of another 21 eyeball on it before we get all enhanced with the 22 industry and public standpoint would probably be 23 useful. We need to look at that just to give you a 24 heads-up.
25 MR. BEARDSLEY: Got it.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
95 1 CHAIR BROWN: Go ahead. You can move on 2 unless --
3 MR. BEARDSLEY: Okay.
4 CHAIR BROWN: -- somebody else has 5 something.
6 MR. BEARDSLEY: Okay. The NSIR staff over 7 the last year or so have engaged with our colleagues 8 in the Office of Research on a number of research 9 projects to look at different aspects of cyber 10 security, both current and future.
11 This list shows the high level four areas 12 that we currently have cyber security research going 13 on and our colleagues in research will be briefing, I 14 believe, the full committee tomorrow. So if there's 15 any questions from a research point of view, you'll 16 have an opportunity to ask then.
17 Just a quick look at what these are, 18 attack surfaces for cyber security monitoring and 19 oversight. One of the things that we've looked as 20 we've inspected industry over the years is trying to 21 understand and help industry understand what are the, 22 you know, attack surfaces or the ways that an 23 adversary could attack them?
24 And the staff is engaged with research on 25 a project to help us define what are a clear set of NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
96 1 attack surfaces that we can use as a model when we're 2 evaluating the licensees and the licensees' programs?
3 The staff is looking at developing a 4 replica of licensees' networks that we could use for 5 research to look to evaluate different techniques that 6 the industry has implemented and also for training for 7 the staff themselves.
8 MEMBER BLEY: Can you explain that one a 9 little bit to me?
10 MR. BEARDSLEY: Sure. So the licensees 11 have multiple different methodologies for developing 12 and implementing their networks. And what the staff 13 would like to do is put together a network training 14 tool that would allow staff to go evaluate those 15 implementations and better understand them.
16 MEMBER BLEY: So this would be like a 17 software model of their network or something to 18 experiment with?
19 MR. BEARDSLEY: It would be a software 20 model that we could configure to be similar to 21 different licensee networks and then use those for 22 evaluation.
23 MEMBER BLEY: Interesting. Okay. Thanks.
24 MR. BEARDSLEY: And this is at the --
25 we're at very early stages. So we're just going to NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
97 1 investigate the potential for it. We're not ready to 2 move forward with any kind of construct yet. But our 3 colleagues in research are helping us sort of scope 4 out what it would take to go do that.
5 MEMBER BLEY: So this is kind of like the 6 digital twin stuff we've heard about from research?
7 MR. BEARDSLEY: It could theoretically be 8 that although we are tapped in with research into the 9 digital twins effort as well.
10 MEMBER BLEY: Okay. Thanks.
11 CHAIR BROWN: Jim?
12 MR. BEARDSLEY: Yes.
13 CHAIR BROWN: I want to phrase this -- get 14 this stated clearly. I'm trying to remember if we've 15 seen this or not. It seems to me we've seen this 16 somewhere, and I'm not remembering where.
17 But networks, a couple configurations of 18 networks, you have a bunch of systems out in a plant.
19 Data goes into the network. It gets distributed to a 20 bunch of control systems, emergency support center, 21 technical support center, et cetera, et cetera. And 22 it's distributed via just like a big server if you 23 want to call it that, a distributor.
24 MR. BEARDSLEY: Mm-hmm.
25 CHAIR BROWN: But you can also embed NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
98 1 control software in a network so you don't end up 2 building control software for the functions like a 3 motor control or a reactivity control system. And 4 then you go segregate or partition the network so that 5 you've got software barriers between them.
6 MR. BEARDSLEY: Mm-hmm.
7 CHAIR BROWN: I'm not sure I'm saying that 8 right. Have you even given that any thought? I'm 9 trying to remember if anybody -- I thought I 10 remembered somebody doing something like that, but I 11 don't think it was in the reactor trip circuit. It 12 wasn't in the safety system area. It was in some 13 other area.
14 Have you all seen any of that at all? It 15 seems to me that's a dangerous thing to get into when 16 you start burying stuff, control functions for various 17 other, maybe, balance of plant systems or whatever 18 into a network instead of a unique control system for 19 that component.
20 MR. BEARDSLEY: Yes. I can't speak to the 21 specifics on what we've seen. I mean, we've done 58 22 inspections. But I will say that the greater majority 23 of the plants in the current operating fleet do not 24 have high functioning digital systems in their safety 25 systems.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
99 1 They are evaluating digital I&C upgrades.
2 And that's something that the staff is focused on, and 3 we're very involved in the evaluation of.
4 They have implemented complex digital 5 instrumentation and control in the balance of plant.
6 So there are differences there. And the licensees 7 have used various different tools to, you know, 8 partition their networks to try and keep different 9 levels of protection in different areas. But, again, 10 there's many, many different configurations out there.
11 I mean, virtually every plant is different.
12 CHAIR BROWN: Okay. Thanks.
13 MR. BEARDSLEY: We have a whole other 14 slide to talk about wireless. So I'm not going to get 15 into that on this slide, but we are engaged with 16 research looking at different wireless technologies 17 and their impact on the plant systems. Any questions 18 about our interactions with research?
19 All right. Now, I'm going to turn it over 20 to Mario Fernandez to talk about wireless.
21 MR. FERNANDEZ: Again, this is Mario 22 Fernandez, and I'm on Slide 18. As Jim mentioned, 23 there was a public meeting that was held with the 24 industry on February 20, 2020.
25 The industry at this time discussed NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
100 1 opportunities for future implementations of wireless 2 technologies, the benefits of implementing wireless 3 technologies, implementation considerations related to 4 cyber security and the next steps.
5 At this time, the CSB staff is working 6 with the Office of Research, as Jim mentioned, and 7 also working with the DOE labs under the Light-Water 8 Reactor Sustainability Program to evaluate potential 9 industry implementation so we can better understand 10 all the possible uses of these technologies to ensure 11 the licensee is complying with its Cyber Security 12 Plan.
13 Specifically, the NRC concern is that we 14 want to have a thorough understanding of how these 15 technologies will be used if the wireless devices or 16 the wireless technologies that the licensees are 17 intending to implement will be critical digital 18 assets. And currently, CDAs are not affected by the 19 use of wireless technologies.
20 And now I'll turn it back over to Jim.
21 MEMBER REMPE: Before you do that, I had 22 a question. Could you go into some more detail about 23 specific examples that are being considered? This is 24 just a little too high a level for me.
25 I'm aware of some examples that they're NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
101 1 doing in Japan at Fukushima that I think might be of 2 interest to U.S. industry for operations and 3 maintenance. And, again, if the plant is shut down 4 where it's applied so you don't adversely affect cyber 5 security. But what kind of examples are being 6 discussed?
7 MR. FERNANDEZ: That's a very good 8 question, Member Rempe. The industry, for instance, 9 have mentioned in use of wireless technologies to 10 obtain data for different devices in the field.
11 This data will be collected at some 12 central point. And instead of running wires, the 13 licensee's intend to use wireless technologies to 14 collect this data for analysis or to be able to 15 perform other functions.
16 There have also been some preliminary 17 information where the use of drones can be used for 18 specific functions to perform some kind of maintenance 19 inspections or to perform maybe some security 20 functions. Because we don't have enough information 21 yet and the industry only has a present desire to use 22 these technologies, we don't have a lot information.
23 And that's the reason why we are engaging 24 with the Office of Research so we can understand how 25 these technologies can be used, what are the possible NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
102 1 vulnerabilities that can be introduced into the 2 environment that this technology will be used. We 3 want to have a full understanding and then we want to 4 assess and evaluate implementation to ensure the 5 licensees are meeting the requirements in the Cyber 6 Security Plan. Does that answer your question, Member 7 Rempe?
8 MEMBER REMPE: Yes, it does with respect 9 to the condition between the plant components I'm 10 aware of. I have not heard much discussion yet about 11 the use of drones, which is of interest and how that 12 could be done. Again, it's being used quite 13 effectively in Japan. And so I'm interested in 14 hearing more about that.
15 MR. FERNANDEZ: Yes, ma'am. So are we.
16 MEMBER REMPE: Tomorrow, during our 17 research discussion, do you expect that they will be 18 able to provide more details or it's just too 19 preliminary? There's just not enough information 20 coming from industry yet?
21 MR. FERNANDEZ: Ma'am, I don't know what 22 the Office of Research is going to present. But I 23 believe that it is too preliminary to even go beyond 24 what we are discussing right now.
25 I'm just providing some examples where the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
103 1 licensees have expressed were the areas that they can 2 use these kind of technologies for a lot of different 3 reasons. Obviously, some of them are economical 4 reasons. Some of the other reasons are to automate or 5 try to implement a more effective and efficient way of 6 doing business at their sites.
7 MEMBER MARCH-LEUBA: Hey, Mario, this is 8 Jose March-Leuba. On those examples you've given, I 9 assume you will use wireless for one directional data 10 out not for control in, correct? Is that what you 11 envision?
12 MR. FERNANDEZ: That's a very good 13 question, sir. We don't know yet. We don't know how 14 this technology will be used. That's the reason why 15 we want to learn how this technology will be 16 implemented, how the licensee intends to implement 17 those technologies. In order for us to provide an 18 answer exactly to the question, that's exactly the 19 question we're asking ourselves, you know, how this 20 would affect your --
21 (Simultaneous speaking.)
22 MEMBER MARCH-LEUBA: I'm sure you know 23 more about this than I do but the way I would 24 implement it would be establish a VPN tunnel in the 25 sensor on the receiver. All right? And I would NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
104 1 encrypt all the communications and ensure that both 2 sides are authenticated.
3 However, I did a search on the NIST 4 database of vulnerabilities this morning again, and I 5 found 39 VPN vulnerabilities reported this year. It 6 turns out to be one VPN vulnerability reported every 7 three days.
8 And then I extended the search for three 9 years, which is an easy way to do it. And it turns 10 out to be one VPN vulnerability every three days. So 11 just because somebody tells you I have a VPN between 12 my sensor and my receiver, Jesus Christ, every three 13 days there is a VPN, somebody messed up in their 14 parameter on VPN so. But please do be careful. Thank 15 you.
16 MR. FERNANDEZ: I share your concern.
17 That's our concern, too. And I'm aware that recently 18 there have been a lot of vulnerabilities reported 19 regarding the use of VPNs.
20 And this is exactly why we're engaging 21 with the Office of Research because we want to 22 thoroughly understand this technology to ensure that 23 when licensees implement this technology or they 24 desire to do so we ensure that they provide the high 25 assurance that this technology is not going to impact NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
105 1 the current cyber security posture or the CDAs that 2 they're already protecting.
3 MEMBER MARCH-LEUBA: Just for fun, Google 4 NIST vulnerability database. Go in there, click on 5 search and you can type key words. It's scary.
6 MR. FERNANDEZ: Absolutely, sir.
7 MEMBER MARCH-LEUBA: It's scary. There 8 are at least 5,000 this year.
9 MR. FERNANDEZ: Yes, sir. I had looked a 10 little bit into it, and you're right. If you go to 11 the NIST website, you're absolutely correct. VPNs 12 that have vulnerabilities all will be listed there 13 currently where they're having the NIST database.
14 That's a very good source of information 15 for vulnerability assessments.
16 CHAIR BROWN: It got it. Jose, there's 17 other ways to do that. You can also send data to a 18 wireless device through a data diode and then it can 19 get transmitted as long as you disconnect at that 20 point.
21 So you can get the data out if you want.
22 It's cumbersome, but you can do it by isolating. And 23 that way you don't allow something -- and you don't 24 have a way for --
25 MEMBER MARCH-LEUBA: I understand, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
106 1 Charlie. I want to make a joke. When you are a 2 hammer, everything looks like a nail. And your nail 3 is your voice. And it's a very good one. It's a very 4 good. It's gets you the 99 percent.
5 CHAIR BROWN: Yes. I'm a nail person.
6 You're exactly right, along with a hammer. Joy, one 7 other thing when you talked about with the plant 8 shutdown, wireless shouldn't be a concern. The 9 wireless can come in and plant malware into your 10 systems if you start letting it in even with the plant 11 shutdown then it gets you after you're up.
12 MEMBER REMPE: Yes. I'm talking about the 13 Fukushima plant being shut down. But, yes, I get what 14 you're saying. But it's just something that if 15 there's a way that we could adapt it in a safe way, it 16 would be of interest, I think.
17 CHAIR BROWN: It hasn't stopped me yet.
18 MEMBER REMPE: Anyway, it's just something 19 to think about.
20 MR. FERNANDEZ: Absolutely.
21 MEMBER REMPE: And I would be interested 22 in how its progressing.
23 MR. FERNANDEZ: Absolutely. We are very 24 interested, too. That's why we are engaging with the 25 Office of Research and the DOE laboratory so we can NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
107 1 absorb, so to speak, all of this information and be 2 able to assess and evaluate and keep up with the 3 industries if they decide to go down this path.
4 CHAIR BROWN: Yes. I'm going to interrupt 5 here for a second. We've only got two slides left 6 other than the question mark slide. We were going to 7 have a break. Does anybody have a vote? Should we 8 take a 10 minute break right now, 15 minute break 9 rather and come back?
10 MR. FERNANDEZ: I'm okay to continue and 11 I think Brian is ready.
12 CHAIR BROWN: Members, do you all have any 13 voice?
14 MEMBER MARCH-LEUBA: I vote we continue.
15 CHAIR BROWN: Okay. All right. Go ahead.
16 MR. FERNANDEZ: Thank you, members. Now 17 I'm going to turn it over to Brian Yip, who is going 18 to be talking about the cyber security roadmap. Thank 19 you.
20 MR. YIP: Thanks, Mario. This is Brian 21 Yip, again. This is a real brief update. We were 22 requested to give an update on the cyber security 23 roadmap.
24 For background, the initial roadmap paper, 25 this is SECY paper that the staff put up in 2012 to NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
108 1 provide the Commission with an update on the staff's 2 plans for implementing the cyber program early on.
3 We then provided a subsequent SECY paper 4 to the Commission in 2017 with an update to the cyber 5 roadmap. And this gave the Commission some 6 information on what the staff's plans were with regard 7 to the full implementation inspections that Jim 8 mentioned earlier in our briefing.
9 And it also gave the Commission some 10 additional information about the evaluation and 11 guidance that NRC had issue for other classes of 12 licensees. An example would be the staff put out a 13 best practices guide for non-power reactor cyber 14 security.
15 So now at this point, we're considering if 16 we were to provide an update to the cyber roadmap what 17 the future format of it should be. We're really at 18 the initial stages at this point. We're taking into 19 consideration what areas of the cyber program we need 20 to inform the Commission of and also any areas where 21 we think that we may need Commission direction. And 22 we're going to use some of those indicators to help us 23 determine what the appropriate vehicle is to 24 communicate that information.
25 If we did update the cyber roadmap, we NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
109 1 could do another SECY paper as we've done in the past.
2 We may do a Commissioner assistance note or a 3 Commissioner assistance briefing. However at this 4 point, we haven't made any decisions yet in that 5 regard. So we don't have much more that we can 6 provide you on the cyber roadmap other than that at 7 this time. And if there are no questions on that, I 8 can turn it back to Jim.
9 CHAIR BROWN: Okay. Go on, Jim. Thank 10 you.
11 MR. BEARDSLEY: Okay. Since the 12 Commission approved the Cyber Security Rule in 2009, 13 the staff and industry have made significant strides 14 in program implementation. The industry has completed 15 their two phase program implementation, and the staff 16 have conducted over 170 cyber security inspections 17 over the last eight years.
18 Based on those inspections, the staff had 19 found with reasonable assurance that industry has 20 implemented their cyber security programs.
21 The staff have received considerable 22 stakeholder feedback on the cyber security oversight 23 program through public meetings and our own self-24 assessment combined with inspection lessons and an 25 audit of the inspection program by the NRC's Office of NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
110 1 Inspector General. That feedback is being used to 2 further develop the NRC's graded approach to cyber 3 security oversight.
4 In addition, those insights, combined with 5 lessons from the interagency and international 6 partners, are being used to develop our approach to 7 cyber security for future licensees.
8 This completes our remarks, subject to 9 your questions.
10 CHAIR BROWN: Okay. Jim, are we done?
11 MR. BEARDSLEY: We are done.
12 CHAIR BROWN: Okay. Question mark page.
13 Scott or Tom, is there an issue with the public line 14 or what? Are we good?
15 MR. MOORE: Tom, this is Scott. I thought 16 the public line had been muted. So should we go to 17 comments after the break?
18 MR. DASHIELL: Yes, Scott. That would be 19 preferable. Can you hear me now?
20 MR. MOORE: Yes.
21 MR. DASHIELL: I just unmuted it using 22 star 6.
23 CHAIR BROWN: Okay. So you'd like to take 24 a 15 minute break and then we'll go do public comments 25 and then a round around the table.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
111 1 MR. MOORE: Yes, Chairman, that would be 2 best.
3 CHAIR BROWN: Okay. We'll come back here 4 at 4:32, make it 4:35 Eastern Standard Time and then 5 we'll resume with the public comments and then any 6 other final comments. Okay? We are recessed until 7 that time.
8 (Whereupon, the above-entitled matter went 9 off the record at 4:18 p.m. and resumed at 4:36 p.m.)
10 CHAIR BROWN: Okay. It's 4:35. And we 11 will resume the meeting. At this point, just to 12 confirm, Tom, is the public line open right now?
13 MR. DASHIELL: Yes, Charlie, it is.
14 CHAIR BROWN: Okay. Is there anybody on 15 the public line that would like to make any comments 16 relative to this meeting? Okay. Second question, is 17 there anybody on the public line, again, that would 18 like to make any comments? Okay. Hearing none, 19 Thomas?
20 MR. DASHIELL: The public line is muted.
21 CHAIR BROWN: Okay. Thank you. At this 22 point, we will go ahead and go around. Do any of the 23 members have any additional comments that they would 24 like to provide or ask, I should say?
25 MEMBER PETTI: Charlie, I have one.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
112 1 CHAIR BROWN: Yes, go ahead.
2 MEMBER PETTI: And, again, I may just be 3 off-base. Before I got the documents, particularly in 4 light of Part 53, I mean, I understand this is all 5 about a process of identifying critical assets that 6 need protection. I'm not talking about that.
7 What I was looking for was guidance that 8 an advanced reactor designer would need to help them 9 in the designs of some of their systems.
10 You know, I saw the data diode. It's in 11 there. But I didn't see a concise list of, you know, 12 these are sort of either the design philosophies or 13 actual, you know, for lack of a better term, 14 requirements or guidance that the NRC finds that this 15 is an acceptable set of approaches that would work but 16 these are those that aren't. Is it just that that's 17 somewhere else?
18 CHAIR BROWN: No.
19 MEMBER PETTI: And you wouldn't expect to 20 find it here?
21 CHAIR BROWN: No, you're right. Normally, 22 we have covered that. This is my interpretation of 23 what we've done, and you've got to look at different 24 systems.
25 We fundamentally look at it from a design NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
113 1 certification standpoint. And we normally deal with 2 the digital I&C systems, which result in a safety 3 monitoring control safeguards, whatever they may be, 4 whatever configuration they may take.
5 And in the old methodology, there was a 6 Chapter 7, which covered all of the I&C systems. And 7 we normally developed -- or they did develop 8 fundamentally, a functional one line diagram of the 9 basic architecture showing that they meet the 10 frameworks of redundancy, independence, deterministic 11 processing, control of access and diversity and 12 defense in-depth.
13 And there we have looked at the 14 interrelations of the various systems and what type of 15 communications they make and where they go to and 16 where they don't go to. And so that has been covered 17 in great detail as part of the design certification 18 approvals.
19 MEMBER PETTI: So there's nothing new that 20 cyber would add on top of that?
21 CHAIR BROWN: No. Fundamentally, if you 22 look at the words and you go through the document --
23 and it's hard to find, okay -- system by system and 24 you look and see how does it deliver data someplace 25 else?
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
114 1 For instance, a reactor trip system 2 doesn't have to receive any data. I mean, it just 3 either scrams the plant or it doesn't. So it can send 4 data out, but you want it to do it through a data 5 diode, a type of unidirectional non-software based 6 data circumstance transmission.
7 So you do that, you evaluate that in that 8 context, bidirectional versus unidirectional, as we 9 have talked about several times.
10 So you're right. We don't go -- there's 11 nothing that says this is a hard and fast criteria.
12 We try to use our heads as we're looking at the 13 design.
14 MEMBER PETTI: Okay.
15 CHAIR BROWN: And it gets difficult 16 sometimes needless to say. Are there any other member 17 comments?
18 MEMBER MARCH-LEUBA: Yes. This is Jose.
19 This is going to be a little out of character, but I 20 found this presentation really interesting. It's an 21 interesting topic.
22 Overall, well done. The staff has done a 23 fantastic job trying to do a difficult task. And I 24 want to congratulate you. But stay on top of it 25 because things change daily so don't sleep on your NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
115 1 laurels. Thank you.
2 CHAIR BROWN: Thank you, Jose. Is there 3 anybody else that would like to say anything?
4 MR. HECHT: This is Myron. If I could 5 just add a comment with respect to the research 6 initiatives that were being planned.
7 CHAIR BROWN: Yes.
8 MR. HECHT: There is a plethora, a huge 9 amount of work, that's been done on industrial 10 controlled cyber security in the ISA standard, ISA 99 11 Series. There's an awful lot of work that's been 12 done.
13 And many of the questions that have been 14 raised here, what if, you know, what if questions, 15 change control, just new vulnerabilities that are 16 coming up. That's all largely addressed in those 17 standards. And I would advise that research be 18 directed to look at those as part of their activities 19 as well.
20 CHAIR BROWN: Okay. Thank you very much, 21 Myron. If you can identify some of those and send 22 them to me, I would like to see them.
23 MR. HECHT: Sure. I can do that.
24 CHAIR BROWN: If you can identify a few of 25 them, thank you. You all --
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
116 1 MEMBER REMPE: This is Joy, Myron. If you 2 could do this soon, we do have a meeting tomorrow 3 afternoon. And we don't really direct research to do 4 anything. We make recommendations of things they 5 should be considering. But it would very timely if 6 you could get this out to us, you know, before like, 7 I guess, it's what 2 o'clock, the time tomorrow.
8 CHAIR BROWN: If you could get --
9 MR. HECHT: I can give you a short list of 10 the major ones, yes.
11 MEMBER REMPE: It doesn't have to be, 12 yes, everything. But anyway, it would help us out.
13 CHAIR BROWN: Okay. Yes. Send it to 14 Christina, and she can get it to everybody. Okay?
15 MEMBER MARCH-LEUBA: I mean, would it be 16 possible to task Myron to be in the meeting tomorrow 17 because he's the one that knows.
18 MEMBER REMPE: Actually, I just don't 19 think we need that. One, it's kind of late to have to 20 send him all this information. It would just help us 21 if you got us a list. It's not necessary for you to 22 listen to -- we're going to be going through a lot of 23 things that are covered by the Division of 24 Engineering, and it would be a waste of Myron's time 25 to have to sit through the whole meeting for that.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
117 1 MEMBER MARCH-LEUBA: But, Myron, as an 2 interested member of the public, there is an open line 3 that you can always log in if you are bored on a 4 Friday afternoon. You won't have a voice until at the 5 end of the meeting.
6 MR. HECHT: Thanks.
7 CHAIR BROWN: Any other comments from 8 members?
9 MEMBER KIRCHNER: Yes, Charlie. This is 10 Walt. Thank you to the staff for the presentations.
11 I second Jose's comments on the staff's presentation.
12 If it's possible, could Christina obtain 13 the white paper that Eric Lee presented? I thought 14 the conceptual approach that he described on safety-15 related and important to safety of much interest and 16 relevant to our deliberations on 10 CFR 53. Thank 17 you.
18 MS. ANTONESCU: Yes, Walt, I already sent 19 it to everybody. I'll try to resend it to you, too.
20 MEMBER KIRCHNER: No, don't resend it.
21 I'm just not monitoring my email in real-time. Thank 22 you.
23 MS. ANTONESCU: On, you're welcome.
24 MEMBER SUNSERI: Hey, Charlie, this is 25 Matt.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
118 1 CHAIR BROWN: Just let me answer Walt. I 2 think it might be in the package that you got for this 3 meeting. If I can -- is it the one on safety, safety-4 related? There were three of them in there, one on 5 balance of plant, one on security and the other white 6 paper, I think, was on safety and safety-related.
7 MEMBER KIRCHNER: Okay. I'll look for it, 8 Charlie. I don't want to create extra work for 9 anyone. Thank you.
10 CHAIR BROWN: I'll try to let you know 11 which ones they are if I can remember that long.
12 Somebody else was speaking up when I interrupted. I 13 apologize for that.
14 MEMBER SUNSERI: Charlie, it's Matt. I 15 was just curious. From a planning perspective, are 16 you planning on recommending that we write a letter on 17 this topic?
18 CHAIR BROWN: No. This is strictly an 19 information briefing right now. Our letter would be 20 on 5.71. That's the key point for us to go do. So 21 that's coming up. That revision process is in 22 process. So that's where I've got my focus right now.
23 MEMBER SUNSERI: Thank you.
24 CHAIR BROWN: Okay. Anybody else? Okay.
25 I'll wrap-up. Michele and Jim, I want to thank you NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
119 1 all for a very good, well done presentation.
2 For some reason, these presentations on 3 mass subjects always end up with some very excellent 4 discussion with a wide range of viewpoints, which is 5 also very, very useful.
6 So I think your presentation engendered 7 some of that. And that was much appreciated. And 8 your ability to respond on the spot is also much 9 appreciated. It certainly is indicative of the good 10 work that you guys are doing.
11 So I wanted to thank you very much for a 12 very well done presentation and very complete in terms 13 of your ability to describe some details of what you 14 all were doing and what you've seen.
15 So, Jim, Michele, thank you all. Much 16 appreciated. With no more ado, I guess it's time for 17 me to adjourn the meeting and the rest of the members, 18 we'll re-adjourn tomorrow morning sometime. Everybody 19 take care. The meeting is adjourned.
20 (Whereupon, the above-entitled matter went 21 off the record at 4:47 p.m.)
22 23 24 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
NRC Cyber Security Oversight Program Update July 2021 Jim Beardsley, Chief Cyber Security Branch (CSB)
Division of Physical and Cyber Security Policy (DPCP)
Office of Nuclear Security and Incident Response (NSIR) james.beardsley@nrc.gov
Key Messages
- The NRC staff is committed to maintaining an efficient, robust cyber security program that can adequately protect against the dynamic cyber threat environment.
- The cyber security inspection program has verified that licensees have adequately implemented the cyber security regulations.
- Lessons learned from the implementation of the cyber security oversight program are being used to implement efficiencies and enhancements to the cyber security program and update RG 5.71.
- Experience gained with the operating reactors oversight provide the NRC staff with insights for implementing appropriate levels of cyber security for other licensees including SMRs and other technologies.
7/22/2021 2
Power Reactor Cyber Security Background Licensee Interim RG 5.71 & NEI 08-09 Implementation Implementation Completed NRC Cyber Guidance Acceptable Security for Use Notification Rule Full 10 CFR 73.77 Implementation NRC & Industry agree on MS 1 - 7 10 CFR Implementation 73.54 Schedule Industrys Interim Implementation Schedule MS 1 - 7 Inspections 2009 2010 2011 2012 2013 2014 2015 2016 2017
- Interim Implementation included seven milestones All NPPs Cyber
- 2013-2015 Interim Implementation inspections at all 63 operating NPPs Security Plans &
Implementation
- Identified challenges with guidance and inspections processes Schedules Approved
- 2016-2017 Improved industry guidance, full oversight program and improved inspector training implemented.
RG- Regulatory Guide NEI - Nuclear Energy Institute CFR - Code of Federal Regulation 7/22/2021 3
RG 5.71 Cyber Security Program Implementation
- 1. Cyber Security Assessment Team
- 2. Identify Critical Digital Assets (CDAs)
- 3. Implement Defensive Architecture
- 4. Apply Security Controls RG- Regulatory Guide NEI - Nuclear Energy Institute 7/22/2021 4
Generic Defensive Architecture Security / Safety Systems Site Network Corporate Network Internet One-way Deterministic Device 7/22/2021 5
Power Reactor Cyber Security Background Licensee Interim RG 5.71 & NEI 08-09 Implementation Implementation Completed NRC Cyber Guidance Acceptable Security for Use Notification Rule Full 10 CFR 73.77 Implementation NRC & Industry agree on MS 1 - 7 10 CFR Implementation Full Implementation 73.54 Schedule Industrys Interim Inspections at all Implementation Schedule Licensee Sites MS 1 - 7 Inspections 2009 2017 2020/
2010 2011 2012 2013 2014 2015 2016 2018 2019 2021
- Full Implementation Inspections 2017-2021.
All NPPs Cyber
- 2017-2021 Full Implementation inspections at all 58 operating NPPs.
Security Plans &
Implementation
- Inspection identified some findings of very low safety significance.
Schedules Approved
- In general, industry has demonstrated program effectiveness.
RG- Regulatory Guide NEI - Nuclear Energy Institute CFR - Code of Federal Regulation 7/22/2021 6
Future of Power Reactor Cyber Oversight Licensee Interim RG 5.71 & NEI 08-09 Implementation Implementation Completed NRC Cyber Guidance Acceptable Security for Use Notification Rule Full 10 CFR 73.77 Implementation NRC & Industry agree on MS 1 - 7 10 CFR Implementation Full Implementation 73.54 Schedule Industrys Interim Inspections at all Implementation Schedule Licensee Sites MS 1 - 7 Inspections Future 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020/21 Inspection Program
- Cyber Security Program Assessment (ML19175A210)
- Independent Assessment Team
- Licensees and other External Stakeholders (including FERC)
All NPPs Cyber
- Many actionable comments received Power Reactor Security Plans &
Implementation
- Staff developed an Action Plan to address the challenges Cyber Security Schedules Approved identified during the assessment Self-Assessment
- Phased approach
- Critical digital asset determination initial focus areas RG- Regulatory Guide - Focus on defense-in-depth NEI - Nuclear Energy Institute CFR - Code of Federal Regulation 7/22/2021 7
Cyber Security Action Plan
- Clarifications of program definitions & terms
- Review criteria for digital asset analysis and protection
- Emergency Preparedness (EP) Initial
- Balance-of-Plant (BoP) Focus Area
- Safety-Related and Important-to-Safety SR/ItS
- Security
- Best practices for digital asset assessment RG 5.71
- Risk-inform control set applied to protect digital assets
- Future inspection program Initial Focus
- Inform oversight with licensee performance metrics Area
- Evaluate performance testing as a element in the oversight program 7/22/2021 8
- Changes are related to 10 CFR 73.54 section (b)(1)
- Aligns with EP requirements and program implementation.
- EP DAs classified as CDAs if the DA(s) is compromised and the EP function cant be performed
- Objective: properly classify the number of EP risk significant CDAs, and reallocate resources for more focus in the Safety & Security Critical Systems.
- Accepted by the NRC in August 2020 following staff review and public meetings
- Initial public meeting to discuss proposed changes in November 2019
- NEI first submittal in November 2019
- NEI submitted revised paper to address staff concerns in April 2020
- Tabletop workshop conducted to discuss proper implementation August 2020
- Licensees may implement the changes prior to the revision of NEI 10-04 and NEI 13-10 guidance
- Changes will be incorporated in future revisions of the NEI guidance (above)
CDA: Critical Digital Asset DA: Digital Asset EP: Emergency Preparedness 7/22/2021 NEI: Nuclear Energy Institute 9
BoP CDA Determination
- Industry has proposed changes to BoP CDA determination guidance
- BoP CDAs are those CDAs that were added to the scope of the cyber security rule during the resolution of FERC Order 706-B
- Industry proposed aligning the BoP CDA evaluation criteria with the latest NERC CIP standards which are based on impact to the Bulk Electric System (BES) by revising the guidance found in NEI 10-04 and NEI 13-10.
- Accepted by the NRC in August 2020 following staff review and public meetings
- Initial public meeting to discuss in January 2020
- NEI first submittal in April 2020
- NEI submitted revised paper to address staff concerns in July 2020
- Licensees may implement the changes prior to revision of NEI 10-04 and NEI 13-10 which will roll up all changes.
CDA - Critical Digital Asset FERC - Federal Energy Regulatory Commission BoP - Balance of Plant NERC - North American Electric Reliability Corp.
NEI - Nuclear Energy Institute CIP - Critical Infrastructure Protection 7/22/2021 10
SR/ItS CDA Determination
- The proposed guidance refined SR/ItS CDA determination criteria
- Defined terms safety-related, and important-to-safety functions in the context of cyber security based on how the NRC historically used these terms.
- Aligned the SR/ItS CDA identification criteria with the NRCs safety regulations.
- Accepted by NRC in August 2020 following staff review and public meeting.
- Initial discussion on the subject in August 2019
- Submitted for review in May 2020: public meeting in June 2020
- NEI submitted revision that addressed staff concerns in July 2020.
- Licensees may implement the changes prior to revision of NEI 10-04 and NEI 13-10 which will roll up all changes.
SR - Safety Related CDA - Critical Digital Asset ItS - Important to Safety NEI - Nuclear Energy Institute 7/22/2021 11
Security CDA Determination
- The effort focused on refining CDA determination and classification criteria for security digital assets.
- Defines security function in the context of cyber security;
- Addresses digital security tools and security support systems;
- Clarifies cyber security protection for digital assets used for access authorization.
- Accepted by NRC in June 2021 following staff review and public meeting.
- Initial draft received in December 2020; public meeting in January 2021.
- Response to NEI in April 2021: additional guidance needed on security support systems; more clarity in access authorization.
- NEI submitted revision that addressed staff concerns in June 2021.
CDA - Critical Digital Asset NEI - Nuclear Energy Institute 7/22/2021 12
Post Full Implementation Inspection Program
- Performance Informing Initiatives
- Performance Metrics:
- Staff and industry have conducted two public meetings to discuss the voluntary use of licensee performance metrics to inform future inspections.
- Performance Testing:
- Staff and industry have discussed the potential for informing future inspections with licensee performance testing results.
- A structure for review of performance metrics and testing results has been included in the draft inspection procedure.
- Staff conducted a public meetings in February and April 2021 to discuss the proposed inspection process and receive stakeholder feedback.
7/22/2021 13
Part 53 Rulemaking Cyber Security Approach 10 CFR 73.110 Cyber Security 7/22/2021 14
Cyber Security Rule Petition for Rulemaking
- PRM-73-18 submitted by NEI in 2014.
- Staff assessed the PRM in 2017 and further in 2019.
- Decision on the PRM deferred to evaluate the impact of cyber program assessment action plan activities.
- The Commission is expected to make a decision on the petition in July 2021.
7/22/2021 15
Regulatory Guide 5.71 Update
- Published Regulatory Guide 5.71 (2010)
- 2016 Initiated update to Regulatory Guide 5.71
- Issued DG-5061 for public comment (2018)
- In 2021, staff updated DG-5061 to incorporate the program changes implemented since 2018.
- Plan to issue updated DG-5061 for 2nd public comment in Aug.
- Plan to issue RG 5.71 Revision 1 in Spring 2022 7/22/2021 16
Cyber Security Engagement with RES
- Attack Surface for Cybersecurity Monitoring and Oversight
- Licensee Network Replica for Cybersecurity Training
- Wireless Communication Technologies (Safety &
Security)
- Cybersecurity Expert Seminars 7/22/2021 17
Wireless Technology and New Licensees
- Public Meeting on February 20, 2020
- Current wireless implementations
- Potential future wireless initiatives
- Future Wireless Technology Engagements
- Discuss specific examples for potential industry initiatives and how they might fit into the regulatory framework.
- Staff are working with the DOE laboratories and the Light Water Reactor Sustainability Program to evaluate potential industry wireless implementations 7/22/2021 18
Cyber Security Roadmap Update
- The initial roadmap paper was completed in 2012 (ML12135A050).
- The paper was updated in 2017 (ML16354A258).
- Staff is weighing best approach for future updates:
- Acknowledging other processes that will keep the Commission informed (e.g., Part 53 rulemaking process).
- Considering whether there are areas where additional Commission guidance may be necessary.
7/22/2021 19
Conclusion
- The cyber security inspection program has verified that licensees have adequately implemented the cyber security regulations.
- Staff conducted an assessment of the program in 2019 including significant stakeholder feedback, focus areas are being addressed.
- Staff and Industry are further implementing graded-approaches for the CDA selection and protection of EP, BoP, Security and Safety-Related/Important-to-Safety digital assets.
- Staff are performance-informing cyber security oversight.
- Evaluating cyber security implications for wireless connectivity and appropriate cyber security for new licensees.
- Staff are evaluating graded approaches for cyber security for new licensee/applicants.
7/22/2021 20
Questions 7/22/2021 21