Text

.

MEMORANDUM TO:

James D. Beardsley, Chief Cyber Security Branch Division of Physical and Cyber Security Policy Office of Nuclear Security and Incident Response FROM:

Brian M. Yip, IT Specialist (Cyber)

Cyber Security Branch Division of Physical and Cyber Security Policy Office of Nuclear Security and Incident Response

SUBJECT:

SUMMARY

OF SEPTEMBER 17, 2021, PUBLIC MEETING TO DISCUSS IMPLEMENTATION OF THE NEI WHITE PAPER ON SECURITY CRITICAL DIGITAL ASSETS DATED JUNE 2021 On September 17, 2021, the U.S. Nuclear Regulatory Commission (NRC) conducted a partially closed public meeting to discuss the Nuclear Energy Institutes (NEIs) white paper, Changes to NEI 10-04 and NEI 13-10 Guidance for Identifying and Protecting Digital Assets Associated with Security, dated June 2021 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML21155A216). The purpose of the public meeting was for the NRC staff and industry representatives to discuss the provisions of the white paper and case studies for licensee implementation. In a letter dated June 30, 2021, the NRC informed NEI that it had reviewed the white paper and found it consistent with the NRCs cyber security requirements and NEI 08-09, Cyber Security Plant for Nuclear Power Reactors, Revision 6 (ADAMS Accession No. ML101180437). The meeting notice, Notice of Meeting with the Nuclear Energy Institute to Discuss Changes to Guidance on Protection of Security Critical Digital Assets, dated September 3, 2021, is available at (ADAMS Accession No. ML21250A259).

The NRC and NEI opened the meeting with an overview of the white paper and provided an opportunity for any public comments. No participants provided comments or asked questions.

Following the opening session, the meeting moved to a closed session to allow for the discussion of sensitive security-related and licensee proprietary information. During the closed session, industry representatives discussed specific cyber security strategies for implementing the white paper guidance changes, addressing access authorization digital assets, digital security tools, and security support equipment.

During the access authorization discussion, industry representatives discussed the 11 minimum security controls identified in the white paper that licensees must address to ensure integrity CONTACT:

Brian Yip, NSIR 301-415-3154 September 29, 2021 Signed by Yip, Brian on 09/29/21

J. Beardsley of authorization digital assets and data, as well as configuration management processes to ensure those digital assets remain protected over time. On the issue of secondary verification of data transferred out of an access authorization system and into the plant security computer system, industry representatives noted that the white paper allows for either manual or digital secondary verification to account for different licensee implementations where cryptographically protected source data is available for verification.

In the area of security support equipment and digital security tools, the NRC staff noted that the white paper identifies these as separate categories of assets with separate screening criteria, and licensees should ensure they avoid conflating the two when performing their analyses.

Additionally, the staff highlighted that when analyzing security support equipment, timely detection of a compromise must ensure that the licensee identifies failure or compromise of the digital asset prior to it adversely affecting the security function it supports. If licensees rely on the failure of support equipment to be self-evident rather than using active monitoring, they must ensure the ability to implement alternate means prior to an adverse impact to a security function.

In closing, the NRC and NEI noted that the NRC has found this white paper consistent with the cyber security requirements and cyber security plan template, and that licensees may implement the guidance changes now. NEI plans to integrate this white paper, as well as its white papers on other classes of critical digital assets, into revisions to NEI 10-04 and NEI 13-10 and submit them for NRC review and approval in the near future.

Memo ML21272A192 OFFICE NSIR/DPCP/CSB NAME BYip DATE Sep 29, 2021