ML21294A274

From kanterella
Jump to navigation Jump to search
Draft Guidance Document for Development of RFI - Rev 4
ML21294A274
Person / Time
Issue date: 10/21/2021
From: Nelson G
NRC/NSIR/DPCP/CSB
To:
Nelson G
References
Download: ML21294A274 (71)
v  d  e


Text

United States Nuclear Regulatory Commission CYBER SECURITY Guidance Document for Development of the Request for Information (RFI) and Notification Letter for IP 71130.10 Cyber Security Inspection NOTICE:

Issue Date: xx-xx-xxxx

United States Nuclear Regulatory Commission The focus of this document is to provide guidance to the NRC cyber security inspection personnel regarding the types of information typically requested, enabling the inspection team to make informed decisions when developing a site-specific cyber security inspection plan.

Issue Date: xx-xx-xxxx

United States Nuclear Regulatory Commission Table of Contents

1. Introduction
2. Overview and Purpose
3. Initial Documentation Requests - RFI #1
4. Initial Documentation Requests - RFI #2
5. Initial Documentation Requests - RFI #3 Appendix A - Glossary of Terms Appendix B - Transmittal Letter (Example)

Appendix C - List of Acronyms Issue Date: xx-xx-xxxx Page l 3 Rev 4

United States Nuclear Regulatory Commission 1 Introduction Both the previously conducted Milestone 1 through 7 cyber security inspections and the full--compliance (i.e., Milestone 8) pilot inspections, have demonstrated that a major factor impeding the ability of inspection personnel to perform their duties is the availability of relevant licensee documentation that supports or refutes the determination of compliance with a given aspect of the licensees Cyber security Plan (CSP) and Title 10, Code of Federal Regulations (CFR), Protection of Digital Computer and Communication Systems and Networks, Part 73, Section 54 (10 CFR 73.54). Although the practice of data-gathering site visits (i.e., bag-man trips) attempted to address this need, there remains a continuing problem of the need to search through huge amounts of documentation, which all-too-often turns out to be inadequate or non-applicable, to settle the issue of compliance with cyber security requirements. One of the related problems has been with inconsistency among the various licensees in regard to the types of documentation they maintain, and the descriptions or titles used for various types of documentation. To improve the effectiveness and consistency of the data gathering process this guidance document has been developed to provide specific details about the kinds of information and data that could be requested from the licensee during the inspection preparation activities.

Return to Table of Contents Issue Date: xx-xx-xxxx Page l 4 Rev 4

United States Nuclear Regulatory Commission 2 Overview and Purpose This document is intended to be used as a guidance document to develop the RFI and notification letter issued to licensees for implementation of the full-compliance cyber security inspection. The first round of requested information concentrates on providing the inspection team with the general information necessary to develop a site-specific inspection plan. The requested information includes the identification of critical systems (CSs) and critical digital assets (CDAs),

Nuclear Energy Institute (NEI) 08-09, Revision 6, Appendix D & E controls, and programmatic CSP elements that will form the sample set for the Cyber Security Inspection Procedure (IP) 71130.10. The information requested will also aid in understanding the licensees application of NEI 13-10 and how or if it impacts inspection planning. The inspectors review of the first round of information will result in an additional, and more focused, follow-on requests for information.

The documentation listed in Section 3 is intended to be as comprehensive as possible and the inspection team may find that some of the items may not be relevant or applicable to their licensees plant and program. Therefore, the team may or may not use all or only selected parts of the documentation identified in Section 3.

In addition to providing a comprehensive list of information to be requested, this guidance document also provides descriptions (i.e., for most of the listed document types) that detail the content that is expected for each and, for some of the documents, Section 4 provides an actual example document to show the form and format of the document as it is expected to be supplied by the licensees. A primary objective of this guidance document is to establish a consistent and standardized process that aids both the licensees and NRC personnel in the identification and collection of the specific information needed to perform the cyber security inspection. Note that this document attempts to avoid assigning a specific name to some sets of information, and offers a description instead, since licensees may or may not use the same nomenclature for the requested information.

The table below, Sequence of Request for Information, specifies the sequence of documentation requests issued to the licensee prior to implementation of the cyber security inspection. The first RFI concentrates on providing the inspection team with the general information necessary to select appropriate components and CSP elements to develop a site-specific inspection plan. The first RFI is used to identify the list of CSs/CDAs plus operational and management (O&M) security control portions of the CSP to be chosen as the sample set required in the cyber security IP.

The inspectors' review of the returned documentation from the first RFI will be utilized to provide a more focused follow-up request during a second RFI. Examining the returned information from the first RFI, the inspectors will identify and select specific systems and equipment (e.g., CSs/CDAs) to develop the second RFI. The second RFI will request additional information required to evaluate the CSs/CDAs, defensive architecture, and the areas of the licensees CSP selected for the cyber security inspection.

Return to Table of Contents Issue Date: xx-xx-xxxx Page l 5 Rev 4

United States Nuclear Regulatory Commission 2 Overview and Purpose Section 3, Paragraph Number/Title: IP Ref.

1 NRC Request for Information #1 A list of all Identified Critical Systems and Critical Digital Assets, and non-CDA digital assets used in the cyber defensive architecture, (e.g.,

firewalls, SIEM, NIDS/NIPS, kiosks, access authorization, 10 CFR 1 Overall 73.55 equipment not part of the security system) - highlight/note any changes (e.g. additions, deletions, reclassifications) since the last cyber security inspection, including changes to boundary devices 2 A list of CDA and DA wireless Industrial networks Overall A list of EP and Security onsite and offsite digital communication 3 Overall systems Network Topology Diagrams to include information and data flow for 4 Overall critical systems in levels 2, 3 and 4 (If available) 5 Ongoing Monitoring and Assessment program documentation 03.01(a) 6 The most recent effectiveness analysis of the Cyber Security Program 03.01(b) 7 Vulnerability screening/assessment and scan program documentation 03.01(c)

Cyber Security Incident response documentation, including incident detection, response, and recovery documentation as well as 03.02(a) and 8 contingency plan development, implementation and including any 03.04(b) program documentation that requires testing of security boundary device functionality List of all network security boundary devices for EP networks and all 9 03.02(b) network security boundary devices for levels 3 and 4 10 Device Access and Key Control documentation 03.02(c) 11 Password/Authenticator documentation 03.02(c) 12 User Account/Credential documentation 03.02(d)

Portable Media and Mobile Device control documentation, including 13 03.02(e) kiosk security control assessment/documentation List of all design changes completed since the last inspection, 14 including 50.59 documentation and the design changes/modifications 03.03(a) program documentation Supply Chain Management documentation including any security 03.03(a), (b) and 15 impact analysis for new acquisitions (c)

Configuration Management documentation including any security 16 impact analysis performed due to configuration changes since the last 03.03(a) and (b) inspection Issue Date: xx-xx-xxxx Page l 6 Rev 4

United States Nuclear Regulatory Commission 2 Overview and Purpose Section 3, Paragraph Number/Title: IP Ref.

Cyber Security Plan and any 50.54(p) analysis to support changes to 17 the plan since the last inspection 03.04(a)

Cyber Security Assessment team documentation to include any 18 training documentation (both general cyber security training and any 03.04(c) specialized training 19 Cyber Security Metrics tracked (if applicable) 03.06 (b) 20 Provide documentation describing your access authorization program Overall Provide a list of all procedures and policies provided to the NRC with 21 Overall their descriptive name and associated number 22 Performance testing report (if applicable) 03.06 (a)

NRC REQUEST FOR INFORMATION #2 For the system(s) chosen for inspection provide:

Ongoing Monitoring and Assessment activity performed on the 1 03.01(a) system(s) 2 All Security Control Assessments for the selected system(s) 03.01(a)

Any effectiveness analysis for the security controls that have been 3 03.01(b) performed on the system(s)

All vulnerability screenings/assessments associated with or scans 4 03.01(c) performed on the selected system(s) since the last inspection Documentation (including configuration files and rules sets) for Network-based Intrusion Detection/Protection Systems (NIDS/NIPS),

5 Host-based Intrusion Detection Systems (HIDS), and Security 03.02(b)

Information and Event Management (SIEM) systems for system(s) chosen for inspection )

Documentation (including configuration files and rule sets) for intra-6 security level firewalls and boundary devices used to protect the 03.02(c) selected system(s)

Copies of all periodic reviews of the access authorization list for the 7 03.02(d) selected systems since the last inspection 8 Baseline configuration data sheets for the selected system(s) 03.03(a)

Documentation on any changes, including Security Impact Analyses, 9 03.03(b) performed on the selected system(s) since the last inspection Copies of the purchase order documentation for any new equipment 10 03.03(c) purchased for the selected systems since the last inspection Copies of any cyber security drills performed since the last 03.02(a) 11 inspection 03.04(b)

Copy of the individual recovery plan(s) for the selected system(s) 03.02(a) 12 including documentation of the results the last time the backups 03.04(b) were executed.

Issue Date: xx-xx-xxxx Page l 7 Rev 4

United States Nuclear Regulatory Commission 2 Overview and Purpose Section 3, Paragraph Number/Title: IP Ref.

Corrective actions taken as a result of cyber security 13 incidents/issues to include previous NRC violations and Licensee 03.04(d)

Identified Violations since the last cyber security inspection Information provided to the NRC at the start of the inspection Any cyber security event reports submitted in accordance with 10 1 03.04(a)

CFR 73.77 since the last cyber security inspection Updated Copies of corrective actions taken as a result of cyber security incidents/issues, to include previous NRC violations and 2 03.04(d)

Licensee Identified Violations since the last cyber security inspection, as well as vulnerability-related corrective actions Notes:

1 This table does not address the full set of O&M and technical controls in Regulatory Guide (RG) 5.71, nor NEI 08-09, Revision 6, nor all of the CSP areas enumerated in the Cyber security IP. Additional information requests may be made for those items not addressed in the table once the inspection team has finalized the inspection plan and during the onsite inspection.

Return to Table of Contents Issue Date: xx-xx-xxxx Page l 8 Rev 4

United States Nuclear Regulatory Commission 3 Initial Documentation Requests - RFI #1 The following information should be requested from licensees as early in the inspection planning process as possible, preferably as part of the formal 120 day inspection notification letter, and should be used to guide the inspection teams decisions regarding focus areas for development of the site-specific inspection plan.

1. List All Identified Critical Systems and Critical Digital Assets NEI 08-09, Revision 6 Review Elements Cyber security IP A.3.1.3 CSP Performance Elements Overall A.2.2.3, A.2.2.15
a. For each CDA, and non-CDA cyber defensive digital asset provide the following information in a tabular format using an Excel spreadsheet workbook with a column for each of the following items of information:
1) Plant Identification (ID) and/or Designation (e.g., Equipment ID Number (EIN),

Equipment Part Number (EPN), system name, etc.);

2) Safety, Security, and Emergency Preparedness (SSEP) Function/Designation (i.e., Safety, Important to Safety, Security, or Emergency Preparedness);
3) Any associated CS of which this CDA or digital asset is an element;
4) Type of Component (e.g., flow, pressure, or level transmitter/programmable logic controller (PLC)/recorder, etc.);
5) Manufacturer;
6) Model Number;
7) Software/Firmware Version Number(s);
8) Physical Location (locations if digital asset is composed of multiple elements);
9) Plant Cyber security Level (Level 1 - 4 or Not Networked) declared for the digital asset;
10) Critical Digital asset LAN ID or designation, if applicable;
11) If the CDA has been categorized using the NEI 13-10 approach, then include its direct (e.g., A.1 through B.4, if appropriate) or indirect (e.g., indirect, Emergency Preparedness (EP), Balance-of-Plant (BOP) or BOP-Trip) classification where applicable; Issue Date: xx-xx-xxxx Page l 9 Rev 4

United States Nuclear Regulatory Commission 3 Initial Documentation Requests - RFI #1

12) Brief description of the SSEP function the CDA performs (i.e., what makes the digital asset qualify as a CDA);
13) Network Drawing or Diagram Number (Also provide a portable document format (pdf) drawing or diagram); and
14) Network Type, if digital asset is network connected (e.g., TCP/IP, DECNet, NovelNet (IPX/SPX), IBM Systems Network Architecture (SNA), Token-Ring, SONET, Asynchronous Transfer Mode (ATM), Fiber Distributed Data Interface (FDDI) and vendor-proprietary LANs such as Modbus+ and DataHighway/DataHighway+); and
15) All subsystems/support systems upon which this CDA depends Return to Request for Information #1 Issue Date: xx-xx-xxxx Page l 10 Rev 4

United States Nuclear Regulatory Commission 3 Initial Documentation Requests - RFI #1

2. List CDA and DA wireless industrial networks NEI 08-09, Revision 6 Review Elements Cyber security IP A.2.1, A.3.1, A.3.1.3, A.3.1.4, A.3.1.5, A.4.3, A.4.4.3.2, D.1.4, D.1.15, Page 8, section D.1.17, D.1.22, D.2.8, D.3.3, D.3.4, D.3.6, D.3.7, D.3.14, D.3.15, 71130.10-02 D.3.16, E.3.4, E.5.6, E.6 Inspection CSP Performance Elements Requirements, A.2.2.3, A.2.2.7, A.2.2.15 General Guidance, 02.07 Defense in Depth, Detection and Response, item a
a. The list shall identify all plant wireless industrial instrumentation LANs that are considered to be a non-Ethernet-TCP/IP fieldbus (i.e., [W]LANs based on, for example, Foundation Fieldbus H1, Highway Addressable Remote Transducer (HART), International Society of Automation (ISA) 100.11a, WirelessHART, Process Field Bus (PROFIBUS), etc.) and which includes at least two or more devices, where at least one device is a CDA or has connectivity to a CDA.
b. For each such LAN segment list provide the following:
1) A functional description of the LAN and instrumentation elements;
2) Plant ID and/or Designation (e.g., EIN, EPN, etc.) for each device/instrument connected to the LAN, plus its:
i. Make ii. Manufacturer iii. Model number iv. Functions
v. Physical location (e.g., unit, elevation, section, etc.);
3) Associated Systems, if any, that interface to the LAN/fieldbus;
4) The security level of the LAN/fieldbus segment and devices (levels 1 through 4);
5) Describe the communications schema used on the LAN/fieldbus (e.g., MODBUS-plus, FOUNDATION Fieldbus H1, PROFIBUS, HART (including revision number),

WirelessHART, ISA 100.11a (IEC 62734), etc.);

Issue Date: xx-xx-xxxx Page l 11 Rev 4

United States Nuclear Regulatory Commission 3 Initial Documentation Requests - RFI #1

6) Any gateways used to connect to other LAN/fieldbuses and/or other computers/systems (e.g., an H1 to HSE bridge or a HART to PROFIBUS gateway);
7) The methods used for device configuration and commissioning, any programmable mobile media device used and the personnel authorized to make configuration changes; and
8) Any security measures implemented on the LAN/fieldbus or the attached devices (e.g., passwords in the instruments, encrypted messages, key management, etc.).

Return to Request for Information #1 Issue Date: xx-xx-xxxx Page l 12 Rev 4

United States Nuclear Regulatory Commission 3 Initial Documentation Requests - RFI #1

3. List EP and Security onsite and offsite digital communications systems

[Note: Potential SGI Designation]

NEI 08-09, Revision 6 Review Elements Cyber security IP A.2.1, A.3.1, A.3.1.3, A.3.1.5, A.4.3, A.4.6, A.4.7, D.1.17, D.1.22, Page 6, section D.3.4, D.3.6, D.3.7, D.3.9, D.3.12, D.4.2, D.4.3, E.5.5, E.5.6, E.8.2 71130.10-02 CSP Performance Elements Inspection A.2.2.3, A.2.2.8, A.2.2.15 Requirements, General Guidance02.02 Attack Mitigation, Incident Response, and Contingency Planning, item b

a. Provide a list of EP and Security onsite and external/off-site digital communications systems and devices either designated as CDAs or associated with SSEP functions as follows:
1) Include all digital communications systems and devices designated as CDAs or associated with or supporting SSEP functions. Examples of onsite and external/offsite digital communications systems and devices include:
i. Portable and base-station digital radios (security and non-security) including repeaters; ii. Digital and/or Voice over Internet Protocol (VoIP) phone systems; iii. Digital private branch exchanges (PBXs);

iv. Fax machines and associated analog phone lines;

v. Digital microwave links to other sites; vi. Satellite phones; and vii. Cellular phones (exclude personal cellular phones).
2) For each onsite and offsite digital communication system and/or CDA device provide the following:
i. Plant ID and/or Designation (e.g., EIN, EPN, etc.);

ii. Any associated CSs or CDAs; Issue Date: xx-xx-xxxx Page l 13 Rev 4

United States Nuclear Regulatory Commission 3 Initial Documentation Requests - RFI #1 iii. Make; iv. Manufacturer;

v. Model-Number; vi. General overview and description of its SSEP (or SSEP support) functions; vii. Physical Location; viii. Security level (1 through 4) assigned to the system/device; and ix. Any in-plant and external network connections to the system/device or communication channels interfaced with the system/device.

NOTE - During the onsite inspection, a detailed list of onsite and offsite digital communications systems and devices will be required. Due to the SGI nature of the list, a highly-simplified and less information-rich version that does not constitute SGI would be adequate for the initial round of information gathering.

Return to Request for Information #1 Issue Date: xx-xx-xxxx Page l 14 Rev 4

United States Nuclear Regulatory Commission 3 Initial Documentation Requests - RFI #1

4. Network Topology Diagrams to include information and data flow for critical systems in levels 2, 3 and 4 (If available) (be sure to include all NIDS/NIPS and SIEMs for EP networks and Security level 3 and 4 networks)

NEI 08-09, Revision 6 Review Elements Cyber security IP A.2.1, A.3.1, A.3.1.3, A.3.1.4, A.3.1.5, A.4.3, A.4.4.3.2, D.1.4, D.1.15, Page 8, section D.1.17, D.1.22, D.2.8, D.3.3, D.3.4, D.3.6, D.3.7, D.3.14, D.3.15, 71130.10-02 D.3.16, E.3.4, E.5.6, E.6 Inspection CSP Performance Elements Requirements, A.2.2.3, A.2.2.7, A.2.2.15 General Guidance, 02.07 Defense in Depth, Detection and Response, item a

a. For each LAN and/or LAN segments with CDAs on them, provide network topology diagrams which include and identify the following:
1) LAN interconnections with fiber optic, copper and wireless routes;
2) Identify all NIDS/NIPS and SIEMS locations for EP networks and Security level 3 and 4 networks.
3) Logical and physical placement of network elements, components and network members;
4) Physical and network address information including subnet designations;
5) Data and information flow control;
6) Network components that have spare and/or unused interfaces (e.g., an Ethernet switch with unused ports);
7) For network elements that incorporate rules that block selected message traffic (e.g., switches, routers, firewalls, etc.) or that control the routing of message traffic (e.g., routers, switches) clearly identify this functionality on the diagram either through the use of standard symbols (e.g., Cisco symbol library) or explanatory text;
8) Spare and/or unused interfaces that are disabled via administrative (i.e., configuration settings) and/or by physical means;
9) Network components and/or elements that have a local-access interface (e.g., a console port) that are disabled via administrative (i.e., configuration settings) and/or by physical means; and Issue Date: xx-xx-xxxx Page l 15 Rev 4

United States Nuclear Regulatory Commission 3 Initial Documentation Requests - RFI #1

10) As an alternative, if the specific detailed information for the various network components (e.g., disabled, spare and console ports on a switch) are not on the available network drawings, but are provided on other related documents, then include those other documents as well. Refer to Section 4 for an example of a network topology diagram.

Return to Request for Information #1 Issue Date: xx-xx-xxxx Page l 16 Rev 4

United States Nuclear Regulatory Commission 3 Initial Documentation Requests - RFI #1

5. Ongoing Monitoring and Assessment program documentation NEI 08-09, Revision 6 Review Elements Cyber security IP A.3.1, A.3.1.3, A.3.1.5, A.4.3, A.4.4, D.1.4, D.1.16, D.1.20, D.1.22, Page 5, second D.3.6, D.3.7, D.4.5, D.5.2, D.5.4, D.5.5, E.3.3, E.3.4, E.5.6, E.6, paragraph, E.8.5, E.10.3, E.10.9 section 71130.10-CSP Performance Elements 02 Inspection A.2.2.3, A.2.2.7, A.2.2.15 Requirements, General Guidance
a. Provide documentation to support the ongoing monitoring and assessment (OM&A) program which includes the following ongoing and monitoring procedures for:
1) Configuration management of CDAs
2) Cyber security impact analyses of changes to CDAs or their environments to ensure cyber security controls are performing effectively
3) Ongoing assessments to verify that Ongoing assessments to verify that the cyber security controls implemented for CDAs remain in place throughout the life cycle of the CDA;
4) Verification that rogue assets are not connected to the network infrastructure
5) Ongoing assessments of the need for and effectiveness of the cyber security controls identified in Appendices D and E of NEI 08-09, Revision 6; and
6) Periodic cyber security program review to evaluate and improve the effectiveness of the Program.
b. List of automated support tools used for OM&A Return to Request for Information #1 Issue Date: xx-xx-xxxx Page l 17 Rev 4

United States Nuclear Regulatory Commission 3 Initial Documentation Requests - RFI #1

6. Most recent Effectiveness analysis of the Cyber Security Program NEI 08-09, Revision 6 Review Elements Cyber security IP A.3.1, A.3.1.3, A.3.1.5, A.4.3, D.1.4, D.1.16, D.1.20, D.1.22, D.3.6, Page 5, second D.3.7, D.4.5, D.5.2, D.5.4, D.5.5, E.3.3, E.3.4, E.5.6, E.6, E.8.5, paragraph, section E.10.3, E.10.9 71130.10-02 CSP Performance Elements Inspection A.2.2.3, A.2.2.7, A.2.2.15 Requirements, General Guidance
a. Provide the most recent effectiveness analysis of the cyber security program, including documentation that:
1) Provides insight for improving performance of the Cyber Security Program;
2) Assists in determining the effectiveness of cyber security controls in Appendices D and E of NEI 08-09, Revision 6;
3) Assists in ascertaining whether specific cyber security controls are functioning and are helping facilitate corrective action prioritization; and
4) Illustrates the fusion of Cyber Security Program activities data with the data obtained from automated monitoring and evaluation tools in a manner that can be tied to cyber security control implementation.

Return to Request for Information #1 Issue Date: xx-xx-xxxx Page l 18 Rev 4

United States Nuclear Regulatory Commission 3 Initial Documentation Requests - RFI #1

7. Vulnerability screening/assessment and scan program documentation NEI 08-09, Revision 6 Review Elements Cyber security IP A.3.1, A.3.1.3, A.3.1.5, A.4.3, D.1.4, D.1.16, D.1.20, D.1.22, D.3.6, Page 5, second D.3.7, D.4.5, D.5.2, D.5.4, D.5.5, E.3.3, E.3.4, E.5.6, E.6, E.8.5, paragraph, E.10.3, E.10.9 section 71130.10-CSP Performance Elements 02 Inspection A.2.2.3, A.2.2.7, A.2.2.15 Requirements, General Guidance
a. Provide information on the licensee vulnerability screening and assessment process, including
1) Procedures for acquiring, reviewing, screening, and assessing security alerts and advisories
2) Examples of five recent alerts that were screened and assessed using these procedures
b. Provide information on the licensee vulnerability scanning and assessment process, including:
1) Procedure for determining which assets are scanned and which are assessed
2) Procedure for vulnerability scanning, including periodicity
3) Examples of recent vulnerability scans
4) Procedures for non-scan assessments
5) Examples of recent vulnerability assessments Return to Request for Information #1 Issue Date: xx-xx-xxxx Page l 19 Rev 4

United States Nuclear Regulatory Commission 3 Initial Documentation Requests - RFI #1

8. Cyber Security Incident response documentation (including incident detection, response, and recovery documentation as well as contingency plan development and implementation and also including any testing of security boundary device functionality)

NEI 08-09, Revision 6 Review Elements Cyber security IP A.3.1, A.3.1.2, A.3.1.4, A.3.1.5, A.4.3, A.4.4.3.1, D.1.4, D.1.15, Page 8, section D.1.22, D.2.2, D.3.3, D.2.8, D.3.6, D.3.7, D.3.9, E.3.1, E.3.3, E.3.4, 71130.10-02 E.4.3, E.6, E.9.3, E.9.4, E.10.2, E.10.3, E.10.4, E.10.5 Inspection CSP Performance Elements Requirements, A.2.2.2, A.2.2.3, A.2.2.7, A.2.2.8, A.2.2.15 General Guidance, 02.07 Defense in Depth, Detection and Response, items a, b and c

a. The list shall include data-diodes, firewalls and other security mechanisms (i.e., security boundary devices), that are used to interconnect networks and/or network segments having different logical security level designations and/or used to manage and control information flows between and among CDAs and other systems/devices.
b. For each device on the list provide the following information:
1) Plant ID and/or Designation (e.g., EIN, EPN, etc.);
2) Identification of the LAN/WAN networks connected to the device;
3) Manufacturer;
4) Description;
5) Type of Component;
6) Model-Number;
7) Software and/or firmware version number;
8) Any associated measurement and test equipment (M&TE);
9) Physical Location; and
10) Unit (if applicable).
c. For each device on the list also provide the following:

Issue Date: xx-xx-xxxx Page l 20 Rev 4

United States Nuclear Regulatory Commission 3 Initial Documentation Requests - RFI #1

1) Technical details on permitted remote administrative access (e.g., protections implemented to control access, personnel with access rights, alarms/notifications, etc.);
2) All user-alterable settings and administrative settings such as route tables, firewall rules/ Access Control Lists (ACLs), audit logging settings, remote access settings, access control/account settings, communication option settings (including protocols used to administer and remotely access the device such as telnet, Hypertext Transfer Protocol (HTTP), Remote login (Rlogin), Secure Shell (SSH), etc.),

operating system security policy settings, etc.;

3) For devices that permit or block message traffic flow, either in one and/or both directions through the device, provide the protocol-specific details (rules) for all such permitted/blocked message traffic; and
4) Running or default start-up configurations (i.e., provide both, if different).
5) A description of asset functionality testing procedures
6) Examples of recent functionality testing
d. For each identified network security boundary devices detailed configuration information provide a separate, computer-readable American Standard Code for Information Interchange (ASCII) text file (e.g., a Comma Separated Values (CSV) or Extensible Markup Language (XML) -tagged file).

Return to Request for Information #1 Issue Date: xx-xx-xxxx Page l 21 Rev 4

United States Nuclear Regulatory Commission 3 Initial Documentation Requests - RFI #1

9. List all network security boundary devices for EP networks and all network security boundary devices for levels 3 and 4 NEI 08-09, Revision 6 Review Elements Cyber security IP A.2.1, A.3.1, A.3.1.3, A.3.1.4, A.3.1.5, A.4.3, A.4.4.3.2, D.1.4, D.1.15, Page 8, section D.1.17, D.1.22, D.2.8, D.3.3, D.3.4, D.3.6, D.3.7, D.3.14, D.3.15, 71130.10-02 D.3.16, E.3.4, E.5.6, E.6 Inspection CSP Performance Elements Requirements, A.2.2.3, A.2.2.7, A.2.2.15 General Guidance, 02.07 Defense in Depth, Detection and Response, item a
a. The list shall identify all plant wireless industrial instrumentation LANs that are considered to be a non-Ethernet-TCP/IP fieldbus (i.e., [W]LANs based on, for example, Foundation Fieldbus H1, Highway Addressable Remote Transducer (HART), International Society of Automation (ISA) 100.11a, WirelessHART, Process Field Bus (PROFIBUS), etc.) and which includes at least two or more devices, where at least one device is a CDA.
b. For each such LAN segment list provide the following:

A functional description of the LAN and instrumentation elements;

  • Plant ID and/or Designation (e.g., EIN, EPN, etc.) for each device/instrument connected to the LAN, plus its:

o Make o Manufacturer o Model number o Functions o Physical location (e.g., unit, elevation, section, etc.);

Associated Systems, if any, that interface to the LAN/fieldbus; The security level of the LAN/fieldbus segment and devices (levels 1 through 4);

o Describe the communications schema used on the LAN/fieldbus (e.g., MODBUS-plus, FOUNDATION Fieldbus H1, PROFIBUS, HART (including revision number), WirelessHART, ISA 100.11a (IEC 62734), etc.);

Issue Date: xx-xx-xxxx Page l 22 Rev 4

United States Nuclear Regulatory Commission 3 Initial Documentation Requests - RFI #1

  • Any gateways used to connect to other LAN/fieldbuses and/or other computers/systems (e.g., an H1 to HSE bridge or a HART to PROFIBUS gateway);
  • The methods used for device configuration and commissioning, any programmable mobile media device used and the personnel authorized to make configuration changes; and
  • Any security measures implemented on the LAN/fieldbus or the attached devices (e.g., passwords in the instruments, encrypted messages, key management, etc.).

Return to Request for Information #1 Issue Date: xx-xx-xxxx Page l 23 Rev 4

United States Nuclear Regulatory Commission 3 Initial Documentation Requests - RFI #1

10. Device Access and Key Control documentation NEI 08-09, Revision 6 Review Elements Cyber security IP A.3.1.3, A.3.1.5, A.3.1.6, A.4.3, A.4.4.1, A.4.9.2, D.1.1, D.1.3, D.1.5, Page 7, section D.1.6, D.1.11, D.1.12, D.2.2, D.2.3, D.2.6, D.2.8, D.4.2, D.4.4, D.2.2, 71130.10-02 E.4.1, E.4.3, E.5.2, E.5.3, E.5.4, E.5.5, E.5.8, E.5.9, E.10.4, E.10.6, Inspection E.10.7 Requirements, CSP Performance Elements General A.2.2.2, A.2.2.7, A.2.2.9, A.2.2.10, A.2.2.12, A.2.2.15, A.2.2.17 Guidance 02.05 Access Control and Media and Portable Device Protection.

, item a

1) .
a. Provide the device access and key control procedure(s) that document the use of physical security measures and controls (e.g., locked enclosures and/or cabinets, key-card access-controlled and/or alarmed rooms, etc.) used to monitor and control physical access to CSs and/or CDAs.
b. For the procedure(s) provided the appropriate section(s) shall be identified and marked (i.e., highlighted) that explain the processes which:
1) Describes the process used to authorize, issue, and track the use of physical keys and lock combination numbers for personnel that have access authority for the various CDAs;
2) Describes the access differentiation levels and/or location (e.g., site, building, area, and room) provided by the access control system and the logging performed on key-card access events; and
3) Describes the access review process and periodicity and information sources (e.g., key checkout log, access monitoring system log, video surveillance, etc.)

available for auditing physical access to the associated CSs and/or CDAs.

Return to Request for Information #1 Issue Date: xx-xx-xxxx Page l 24 Rev 4

United States Nuclear Regulatory Commission 3 Initial Documentation Requests - RFI #1

11. Password/Authenticator documentation NEI 08-09, Revision 6 Review Elements Cyber security IP A.3.1.4, A.3.1.5, A.4.4.3, A.4.4.3.1, D.1.1, D.4.1, D.4.2, D.4.3, D.4.4, Page 7, section D.4.6, D.4.7, D.4.8, D.5.4 71130.10-02 CSP Performance Elements Inspection A.2.2.2, A.2.2.7, A.2.2.9, A.2.2.10, A.2.2.12, A.2.2.15 Requirements, General Guidance 02.05 Access Control and Media and Portable Device Protection.

, item a

a. Provide the password/authenticator policy procedure(s) that address the full range of password-based access controls and non-password authentication methods employed at the site including for CSs/CDAs, where password strength and complexity may be technically limited (e.g., a six digit number) or where physical authenticators (e.g., a key, a combination or electronic fob/dongle) are employed to control access.
b. For the procedure(s) provided the appropriate section(s) shall be identified and marked (i.e., highlighted) that explain the process which:
1) Specifies the time periodicity and/or conditions (or events) under which passwords and/or authenticators would be changed;
2) Specifies the requirements for selecting passwords for the full range of password types supported by CSs and/or CDAs;
3) Specifies what types of authenticators are acceptable and the criteria for selecting;
4) Specifies the approved alternative countermeasures that can be used in cases where a CS and/or CDA does not support passwords or authenticators, especially where password or authenticator use could pose a safety or security risk;
5) Addresses identifying and replacing factory/default passwords on CSs and/or CDAs;
6) Addresses actions to be taken if a CSs and/or CDAs user-access password or authenticator is compromised or suspected of being compromised, particularly when a group of personnel share a single, universal password; and Issue Date: xx-xx-xxxx Page l 25 Rev 4

United States Nuclear Regulatory Commission 3 Initial Documentation Requests - RFI #1

7) Describes the issuance and revocation of authenticators, including the approvals required, the periodicity review, and any events that would trigger a review.

Return to Request for Information #1 Issue Date: xx-xx-xxxx Page l 26 Rev 4

United States Nuclear Regulatory Commission 3 Initial Documentation Requests - RFI #1

12. User Account/Credential documentation NEI 08-09, Revision 6 Review Elements Cyber security IP D.1.1, D.1.2, D.1.3, D.1.5, D.1.6, D.1.11, D.1.12 Page 7, section CSP Performance Elements 71130.10-02 A.2.2.2, A.2.2.7, A.2.2.9, A.2.2.12, A.2.2.15 Inspection Requirements, General Guidance 02.05 Access Control and Media and Portable Device Protection.

, item a

a. Provide the user account/credential policy and account review procedure(s) that address the full range of account-based access controls employed at the site including for CSs/CDAs where account-based user differentiation is either quite limited (i.e., a small, fixed number of access levels) or not technically supported (e.g., no passwords/accounts or a single, universally-used password with no specific account/user association).
b. For the procedure(s) provided the appropriate section(s) shall be identified and marked (i.e., highlighted) that explain the process which:
1) Specifies the time periodicity and/or conditions under which user accounts on CSs and/or CDAs would be reviewed, changed or removed;
2) Specifies the approval and review process used for authorizing personnel to have user access to CSs and/or CDAs and particularly root or admin access;
3) Specifies the approved alternative countermeasures that may be used in cases where a CSs and/or CDAs does not support user accounts or where use of user accounts would pose a safety or security risk;
4) Addresses identifying and eliminating factory/default, support and guest accounts on CSs and/or CDAs;
5) Addresses actions to be taken if a user-account is compromised or suspected of being compromised;
6) Includes the requirements for qualifying personnel to have accounts on the various types of CSs and/or CDAs; Issue Date: xx-xx-xxxx Page l 27 Rev 4

United States Nuclear Regulatory Commission 3 Initial Documentation Requests - RFI #1

7) Defines the criteria for determining which access level is appropriate for a given job description and/or role, where access level differentiation is supported on a CS and/or CDA;
8) Specifies the process used to ensure secure transmission of credentials; and
9) Provides justification for any case in which a CS and/or CDA and/or associated system technically supports all of the user account protective requirements specified in NEI 08-09, Revision 6, Appendix D, Sections 1.1 through 1.10, but the licensee has elected not to implement some or all of those functions Return to Request for Information #1 Issue Date: xx-xx-xxxx Page l 28 Rev 4

United States Nuclear Regulatory Commission 3 Initial Documentation Requests - RFI #1

13. Portable Media and Mobile Device control documentation NEI 08-09, Revision 6 Review Elements Cyber security IP A.2.1, A.3.1.3, A.3.1.4, A.3.1.5, A.4.13, A.4.4.1, D.1.13, D.1.14, Page 7, section D.1.19, D.2.2, D.3.3, D.3.19, D.4.2, D.4.3, D.4.5, D.5.3, D.5.5, E.1.1, 71130.10-02 E.1.2, E.1.3, E.1.4, E.1.5, E.1.6, E.3.2, E.3.3, E.3.7, E.4.2, E.8.4, Inspection E.8.5 Requirements, CSP Performance Elements General A.2.2.2, A.2.2.7, A.2.2.8, A.2.2.9, A.2.2.13, A.2.2.15 Guidance, 02.05 Access Control and Media and Portable Device Protection
a. Provide the portable media and mobile device (PMMD) control procedure(s) or description of licensee processes that detail the methodology used to control PMMDs that are within the scope of the CSP, but are not included as M&TE. (That is covered in section 13)
b. For the procedure(s) or description of licensee processes provided the appropriate section(s) shall be identified and marked (i.e., highlighted) that explain the processes which:
1) Address the custody transfer process;
2) Address the associated documentation tracking process(e.g. a labeling and numbering scheme);
3) Address the audit process;
4) Describes the process used to move digital data from the source to the PMMD and then to a CS and/or CDA;
5) Describes the authority to physically control, store, issue, and retain PMMD;
6) Describes the transfer of PMMD information (e.g., data files, programs, etc.) to and/or from a CS and/or CDA;
7) Describes the process used to verify PMMD integrity and ensures that PMMD do not contain malicious software which could be used as a cyber-attack pathway;
8) Identifies the responsible individual and/or organization that has the authority to be in possession of PMMD; Issue Date: xx-xx-xxxx Page l 29 Rev 4

United States Nuclear Regulatory Commission 3 Initial Documentation Requests - RFI #1

9) Explains, in technical detail, the process and technologies (e.g., anti-virus (AV) scanning software on a kiosk) used for device (i.e., firmware, software, configuration settings, etc.) and device content integrity verification, including security control assessment or other documentation that describes:
a. The physical security controls, (e.g, cabinets, port blockers)
b. The technical security controls used to protect the integrity of the process or technology,( e.g. system hardening, malware detection, logical access control;)
c. The operational controls used to ensure correct and authorized operation of the process or technology
10) Explains the process of field updating of firmware used for obtaining, validating and installing firmware updates; and
11) Addresses by what means PMMD are uniquely identified for tracking and auditing purposes and how specific devices are associated with security levels and/or specific CSs and/or CDAs.
c. Provide a list of Smart portable computer-readable media. For example, a USB thumb drive with a password, file management functionality and/or encryption capabilities. Do not include PM that is unable to change their contents (e.g., a CD or magnetic tape) or passive (e.g., a memory stick or dumb USB thumb drive).
d. Provide a list of:
1) Any PMMDs that are specifically excluded from the scope of the CSP and the justification for being excluded;
2) Any prohibited PMMDs (e.g., Wi-Fi hot spots) or PMMDs that are restricted and the specifics of the restrictions (e.g., no cell phones or cameras in rooms, where SGI is discussed); and
3) All personnel who are authorized to perform firmware updates.

Return to Request for Information #1 Issue Date: xx-xx-xxxx Page l 30 Rev 4

United States Nuclear Regulatory Commission 3 Initial Documentation Requests - RFI #1

14. List all design changes completed since the last inspection including 50.59 documentation and the design change/modifications program documentation NEI 08-09, Revision 6 Review Elements Cyber security IP A.2.1, A.3.1, A.3.1.3, A.3.1.5, A.4.3, A.4.6, A.4.7, D.1.17, D.1.22, Page 6, section D.3.4, D.3.6, D.3.7, D.3.9, D.3.12, D.4.2, D.4.3, E.5.5, E.5.6, E.8.2 71130.10-02 CSP Performance Elements Inspection A.2.2.3, A.2.2.8, A.2.2.15 Requirements, General Guidance02.02 Attack Mitigation, Incident Response, and Contingency Planning, item b
a. Provide a list of all the design changes performed on any of the systems selected for inspection and include the design change package
b. Provide a copy of the 50.59 evaluations that were performed as well as any supporting information (e.g. work order documenting the 50.59 evaluation, etc.)

Return to Request for Information #1 Issue Date: xx-xx-xxxx Page l 31 Rev 4

United States Nuclear Regulatory Commission 3 Initial Documentation Requests - RFI #1

15. Supply Change Management program documentation including any security impact analysis for new acquisitions since last inspection NEI 08-09, Revision 6 Review Elements Cyber security IP D.5.4, D.5.5, E.3.2, E.3.7, E.4.2, E.4.3, E.5.2, E.5.8, E.5.9, E.8.5, Page 7, section E.10.2, E.10.3, E.10.4, E.10.6, E.10.7, E.11.1, E.11.2, E.11.3, E.11.4, 71130.10-02 E.11.5, E.11.6 Inspection CSP Performance Elements Requirements, A.2.2.1, A.2.2.3, A.2.2.10, A.2.2.15, A.2.2.17 General Guidance 02.04 Systems and Services Acquisition and Supply Chain Protection

, item a

a. Provide the supply chain management procedure(s) that document the methodology used to purchase new systems and services and comply with the facilities CSP, specifically how the licensee:
a. Maintains Custody and Control of devices or Software from a Vendor to Installation
b. Guidance for the establishment of trusted distribution paths
c. How vendors are validated
d. Requirements for tamper proof devices on acquired products
b. Provide documentation on how the licensee ensures that acquired products meet defined levels of trustworthiness and how the licensee ensures that software developers employ software quality and validation methods to minimize flawed or malformed software.
c. How the licensee ensures that new acquisitions integrate security capabilities into newly acquired devices including:
a. Ensuring the procurement of CDAs is informed by the vulnerability and threat management program Issue Date: xx-xx-xxxx Page l 32 Rev 4

United States Nuclear Regulatory Commission 3 Initial Documentation Requests - RFI #1

b. Either the Supplier or the licensee performs a Security Impact analysis to consider how assets could be exploited and the potential impacts of security control failures on CDA security and safety functions.
d. How the licensee requires that system developers/integrators create a security test and evaluation plan, implement the plan and document the results
e. Documentation on required licensee testing need prior to installation.
f. Documentation of audits required by the licensees CSP to validate the following items:
a. Security controls present during system validation testing are still installed and operating in the production system
b. CDA are free from known security compromises
c. Management change program is being followed with an audit trail of review and approvals for changes Return to Request for Information #1 Issue Date: xx-xx-xxxx Page l 33 Rev 4

United States Nuclear Regulatory Commission 3 Initial Documentation Requests - RFI #1

16. Configuration Management documentation to include any security impact analysis performed due to configuration changes since the last inspection NEI 08-09, Revision 6 Review Elements Cyber security IP A.3.1.5, A.4.4., A.4.4.1, A.4.5, E.10.1, E.10.2, E.10.3, E.10.4, E.10.5, Page 7, section E.10.7, E.10.8, E.10.9 71130.10-02 CSP Performance Elements Inspection A.2.2.1, A.2.2.2, A.2.2.8, A.2.2.9, A.2.2.10, A.2.2.13, A.2.2.15, Requirements, A.2.2.17 General Guidance 02.03 Program Monitoring, Assessment, Configuration, and Change Management

, item a

a. Provide a high-level explanation of the processes and procedure(s) that govern and control configuration changes to CDAs.
b. Provide a list of plant modifications to CDAs for which cyber security program elements have been added, deleted or modified and the associated assessment that was performed in accordance with the licensees CSP
c. Provide configuration management procedure(s), including Hardware / Software /

Firmware, that establish, approve, document, and verify CDA hardware configuration.

The CDA hardware configuration refers collectively to the CDA-supported options and variations, CDA software and/or firmware complement, including 3rd-party applications and software additions, and essential CDA configuration value settings.

d. For the procedure(s) with references provided the appropriate section(s) shall be identified and marked (i.e., highlighted) that explain how the processes below were addressed :
1) Establish the initial baseline CDA hardware configuration and any subsequent change(s);
2) Defines individuals that have authorization to make changes to any and/or all of the elements; Issue Date: xx-xx-xxxx Page l 34 Rev 4

United States Nuclear Regulatory Commission 3 Initial Documentation Requests - RFI #1

3) Establishes specialized training requirements for those individuals and how such changes are verified, tracked and audited;
4) Evaluates, documents and implements changes to hardware or software or configuration settings;
5) Ensures any implemented changes do not introduce new vulnerabilities, malicious, unauthorized, altered functionality; and
6) Ensures proposed changes to CDAs are evaluated to ensure that the CDAs cyber protections remain effective and adequate.
e. Provide a high-level explanation of the processes and procedure(s) that documents, and maintains an inventory of the components of CDAs
f. Provide the inventory management and control procedure(s) that address the tracking, identification and control of CDAs, and their components (e.g., Storage devices, video cards, Motherboards, Network Interface Adapters, PLCs and their associated communication and I/O modules, etc.) (if available).
g. For the procedure(s) provided the appropriate section(s) shall be identified and marked (i.e., highlighted) that address the tracking, identification and control of CDAs, and their components as follows:
a. Identify components of systems/devices to a detail level sufficient to account for knowing which systems/devices may be due or eligible for an available or required software update or security patch;
b. Indicate how inventory management procedures identify the software/firmware versions of all inventory components that are associated with support of CSs/CDAs
h. Include any Cyber Security Impact analysis performed due to changes in a CDAs configuration or environment to manage risks introduced by the changes since the last cyber security inspection Return to Request for Information #1 Issue Date: xx-xx-xxxx Page l 35 Rev 4

United States Nuclear Regulatory Commission 3 Initial Documentation Requests - RFI #1

17. Cyber Security Plan and any 50.54(p) analysis to support changes to the plan since the last inspection NEI 08-09, Revision 6 Review Elements Cyber security IP A.3.1.1, A.3.1.3, A.3.1.4, A.3.1.5, A.3.1.6 Page 9, section CSP Performance Elements 71130.10-02 10 CFR 73.54(d)(2), 10 CFR 73.55 (b)(10), RG 5.83, NEI 15-09 Inspection Requirements, General Guidance 02.08 Identification and Resolution of Problems

, item a

a. The licensee should provide a copy of their current Cyber Security Plan (CSP).
b. The licensee should provide copies of all 50.54(p) analyses that have been performed to support changes to the CSP since it was originally approved by the NRC.

Return to Request for Information #1 Issue Date: xx-xx-xxxx Page l 36 Rev 4

United States Nuclear Regulatory Commission 3 Initial Documentation Requests - RFI #1

18. Cyber Security Assessment team documentation to include training documentation (both general cyber security training and any specialized training)

NEI 08-09, Revision 6 Review Elements Cyber security IP A.2.2, A.3.1 A.3.1.1, A.3.1.2, A.3.1.3, A.3.1.4, A.3.1.5, A.3.1.6, A.4.4, Page 5, section A.4.4.1, A.4.4.2, A.4.4.3, A.4.4.3.1, A.4.4.3.2, A.4.5, A.4.6, A.4.7, 71130.10-02 A.4.8, A.4.9, A.4.11, A.4.12, D.2.1, D.2.2, D.2.3, D.2.12, D.3.9, Inspection D.3.12, D.5.1, D.5.2, E.3.3, E.3.4, E.3.5, E.3.6, E.6, E.7.1, E.7.4, Requirements, E.7.6, E.8.1, E.9.3, E.9.4, E.9.8, E.10.5 General CSP Performance Elements Guidance 02.01 A.2.2.7, A.2.2.10, A.2.2.12, A.2.2.15, A.2.2.18 Establish a Cyber Security Program and Personnel Training

, item a

a. Copy of all policies and procedures related to the Cyber Security Assessment team
b. List all personnel responsible for associated CSP functions, including contracted and vendor personnel, who form the Cyber security Assessment Team (CSAT) as defined in the NRC-approved CSP, Sections 3.1.2 through 3.1.6. The CSAT list shall provide the following information for each individual:
1) Name;
2) Area(s) of Expertise;
3) Education;
4) Relevant Experience;
5) Cyber security Training;
6) Technical Credentials;
7) Applicable Certifications;
8) Technical Society Memberships; and Issue Date: xx-xx-xxxx Page l 37 Rev 4

United States Nuclear Regulatory Commission 3 Initial Documentation Requests - RFI #1

9) Specialized Training.1
c. List all personnel responsible for associated CSP functions, including contracted personnel, who form the Cyber security Incident Response Team (CSIRT) as defined in the NRC-approved CSP, Section 4.11. The CSIRT list shall provide the following information for each individual:
1) Name;
2) Area(s) of Expertise;
3) Education;
4) Relevant Experience;
5) Cyber security Training;
6) Technical Credentials;
7) Applicable Certifications;
8) Technical Society Memberships; and
9) Specialized Training.2 Return to Request for Information #1 1

Information provided shall include descriptions of all vendor-provided training that covers the design, installation, use, administration and on-going support of technical security products employed to meet the CSP objectives, such as, firewalls, HIDS and NIDS/NIPS, data-diodes, SYSLOG servers, SIEM systems, routers, virtual private network (VPN) gateways, managed switches, PM scanners, security appliances, NAC software, etc.

2 Information provided shall include descriptions of all vendor-provided training that covers the design, installation, use, administration and on-going support of technical security products employed to meet the CSP objectives, such as, firewalls, HIDS and NIDS/NIPS, data-diodes, SYSLOG servers, SIEM systems, routers, virtual private network (VPN) gateways, managed switches, PM scanners, security appliances, NAC software, etc.

Issue Date: xx-xx-xxxx Page l 38 Rev 4

United States Nuclear Regulatory Commission 3 Initial Documentation Requests - RFI #1

19. Cyber Security Metrics (if tracked)
a. Provide a list of what metrics a licensee monitors at a minimum the licensee should monitor the following:
a. Access Control
  • Number of violations of access control policy identified during the sample period (the objective of the access control policy is to provide high assurance that only authorized individuals or processes acting on their behalf can access CDAs and perform authorized activities).

[D1.1, D1.4, D1.11, and D2.6]. This value is used to evaluate the effectiveness of the access control policy and associated controls

[D.1.1. D1.4, D1.11, and D2.6].

  • Number of instances in which the time to disable and to remove user credentials of employees due to a change of duty or of employment went beyond the allotted time permitted in the CSP (reviews CDA accounts consistent with the access control list provided in the design control package, access control program, and cyber security procedures, and initiates required actions on CDA accounts in accordance with the CSP). [D1.2]. This value is used to determine whether the licensee is meeting the requirements of account management activities.
  • Number of non-compliance incidents of cyber security controls by third-party personnel. [D1.1, D1.3, D4.5, and E5.2]. This metric is used to evaluate the licensee's capability to screen and to enforce security controls for third-party personnel.
  • Number of unauthorized portable mobile media device (PMMD) connected to CDAs [D1.18, D1.19]. This requirement involves monitoring, controlling, and documenting usage restrictions. This may be performed manually or digitally. Device identification and authentication at the CDAs [D4.5] could be used to provide input to this metric
b. Flaw Remediation
  • Number of security flaws not mitigated (identify the security alerts and vulnerability assessment process, communicate vulnerability information, correct security flaws in CDAs, and perform vulnerability scans, or assessments of the CDA to validate that the flaw has been Issue Date: xx-xx-xxxx Page l 39 Rev 4

United States Nuclear Regulatory Commission 3 Initial Documentation Requests - RFI #1 eliminated before the CDA is put into production). [E3.2 and E12].

This value informs the effectiveness of the technical evaluation and testing of recommended flaw remediation.

c. Periodic Review of Auditable Events
  • Number of configuration changes that are not documented or approved in accordance with the CSP or procedures, and the number of incorrect baseline configurations noted by the licensee through various methods, to include integrity verification (baseline configuration documentation includes the following: a list of components, for example, hardware and software, interface characteristics, security requirements, and the nature of the information communicated, configuration of peripherals, version releases of current software, and switch settings of machine components). This metric assists in describing the licensees ability to manage configuration changes and to monitor systems for unauthorized changes. [E3.7, E10.3, and E10.4].
d. Malicious Code Identification
  • Number of incidents where malicious code was not detected at the security boundary device entry and exit points and on the network (real-time malicious code protection mechanisms are established, deployed, and documented for security boundary device entry, and exit points, CDAs (if applicable), workstations, servers, and mobile computing devices (i.e., calibrators) on the network to detect and eradicate malicious code resulting from data communication between systems, CDAs, removable media or other common means; and exploitation of CDAs vulnerabilities). Number of incidents where malicious code was not blocked from making unauthorized connections (monitoring events on CDAs, detecting attacks on CDAs, detecting, and blocking unauthorized connections, identifying unauthorized use of CDAs). [E3.3 and E3.4]. This value assists in the assessment of the effectiveness of malicious code protection controls and processes, as well as monitoring tools, and techniques Issue Date: xx-xx-xxxx Page l 40 Rev 4

United States Nuclear Regulatory Commission 3 Initial Documentation Requests - RFI #1

  • Number of periodic scans not performed in accordance with procedures and periodicity requirements (perform periodic scans of security boundary devices, CDAs (if applicable), workstations, servers, and mobile computing devices at an interval commensurate with the associated risk determination, and real-time scans of files from external sources as the files are downloaded, opened, or executed, and disinfect, and quarantine infected files). [E3.3] This metric establishes whether licensees are correctly following procedures and performing periodic validation of boundary device tasks.
e. Security Functionality
  • Number of security functions not tested manually or through automated means (the correct operation of security functions of CDAs are verified and documented periodically, in accordance with 10 CFR 73.55(m),

upon startup, and restart, upon command by a user with appropriate privilege, and when anomalies are discovered, when possible.) [E3.4, E3.6].

f. Security Awareness and Assessment Team
  • Personnel training and specialized training commensurate with their assigned duties are completed. [A4.8, E9.2, E9.3, and E9.4].
  • The minimum required staff was assigned, and any vacancies were filled with fully qualified, and trained personnel. [A3.1.2]
g. System Hardening
  • Number of CDAs with ports or protocols that had not been evaluated as physically and logically secured and hardened, including firewalls and boundary control devices that were removed. [E6]

Return to Request for Information #1 Issue Date: xx-xx-xxxx Page l 41 Rev 4

United States Nuclear Regulatory Commission 3 Initial Documentation Requests - RFI #1

20. Provide documentation on your access authorization program
a. Provide procedures and policies that document how an individual gains access to the facility to include
a. Initial Plant access
b. Lost badge replacement
c. Verification for badge renewal
d. Badge termination:
b. Include any revisions or changes to the above documentation as a result of either SFAQ 17-04 or the Security White Paper.

Return to Request for Information #1 Issue Date: xx-xx-xxxx Page l 42 Rev 4

United States Nuclear Regulatory Commission 3 Initial Documentation Requests - RFI #1

21. For the procedures and policies provided, provide a comprehensive list that provides the procedure/policy number along with a descriptive name of the procedure/policy
a. Looking for a comprehensive list of the procedures/policies provided that includes both a descriptive description of the procedure/policy along with its plant number (if applicable)
b. Optional - cross reference to which part of the inspection procedure this procedure/policy applies Return to Request for Information #1 Issue Date: xx-xx-xxxx Page l 43 Rev 4

United States Nuclear Regulatory Commission 3 Initial Documentation Requests - RFI #1

22. Performance testing report (if applicable)
a. If the licensee has elected to perform performance testing, submit a copy of the performance test report Return to Request for Information #1 Issue Date: xx-xx-xxxx Page l 44 Rev 4

United States Nuclear Regulatory Commission 4 Initial Documentation Requests - RFI #2 For Items 1-13 in RFI #2, these only apply to the systems that have been selected for Inspection

1. Ongoing Monitoring and Assessments performed on the system
a. Review any ongoing monitoring or assessment that were performed on the selected systems since the last cyber security inspection.
b. The ongoing monitoring program includes:
  • Configuration management of CDAs;
  • Cyber security impact analyses of changes to the CDAs or their environment(s) to ensure that implemented cyber security controls are performing their functions effectively;
  • Ongoing assessments to verify that the cyber security controls implemented for CDAs remain in place throughout the life cycle of the CDA;
  • Verification that rogue assets are not connected to the network infrastructure;
  • Ongoing assessments of the need for and effectiveness of the cyber security controls identified in Appendices D and E of NEI 08-09, Revision 6; and
  • Periodic cyber security program review to evaluate and improve the effectiveness of the Program.

Return to Request for Information #2 Issue Date: xx-xx-xxxx Page l 45 Rev 4

United States Nuclear Regulatory Commission 4 Initial Documentation Requests - RFI #2

2. Security Assessments for Selected Systems NEI 08-09, Revision 6 Review Elements Cyber security IP A.3.1.1, A.3.1.3, A.3.1.4, A.3.1.5, A.3.1.6 Page 9, section CSP Performance Elements 71130.10-02 10 CFR 73.54(d)(2), 10 CFR 73.55 (b)(10), RG 5.83, NEI 15-09 Inspection Requirements, General Guidance 02.08 Identification and Resolution of Problems

, item a

a. The licensee should provide Security assessments performed for all CDAs for the systems that have been selected for inspection.
b. For the security assessments provided, the licensee should be able to explain how the controls provide for defense-in-depth through integration of systems, technologies, programs, equipment, supporting processes and implementing procedures to ensure the effectiveness of the program. (2.2.7)
c. For the security assessments provided the licensee should be able to explain how these measures provide the capability to detect, delay, respond and recover from a cyber attack up to and including the design basis threat in 10 CFR 73.1 (2.2.13)

Return to Request for Information #2 Issue Date: xx-xx-xxxx Page l 46 Rev 4

United States Nuclear Regulatory Commission 4 Initial Documentation Requests - RFI #2

3. Any effectiveness analysis of the cyber security controls on the selected system(s)
a. Review any effectiveness analysis that has been on the selected system(s) since the last Cyber Security Inspection
b. The effectiveness analysis should include but is not limited to:
i. Reviews of the cyber security program ii. Reviews of the cyber security controls iii. Periodic Audits of the physical security program iv. Periodic audits of the security plans and implementing procedures
v. Periodic audits of the cyber security programs vi. Periodic audits of the safety/security interface activities vii. Periodic audits of the maintenance, testing and calibration programs as they relate to cyber security
c. The effectiveness analysis should also review maintenance and repairs on CDA components to ensure CDAs which perform cyber security functions are maintained according to vendor recommendations.

Return to Request for Information #2 Issue Date: xx-xx-xxxx Page l 47 Rev 4

United States Nuclear Regulatory Commission 4 Initial Documentation Requests - RFI #2

4. All vulnerability screening/assessments or scans performed on the selected system(s) since the last inspection
a. Provide evidence for vulnerability scans or vulnerability assessments and the resultant reports;
b. Provide evidence of remediation activities for vulnerabilities identified during the scan or assessment
c. Provide a list of the most recent vulnerabilities from alerts and advisories that affect the asset
d. Provide documentation supporting the screening and disposition of these identified vulnerabilities Return to Request for Information #2 Issue Date: xx-xx-xxxx Page l 48 Rev 4

United States Nuclear Regulatory Commission 4 Initial Documentation Requests - RFI #2

5. Documentation for any Network-based Intrusion Detection System (NIDS/NIPS), Host-based Intrusion Detection Systems (HIDS), Security Information and Event Management (SIEM) systems and intra-security level firewalls documentation for system(s) chosen for inspection (ORFI 10, 11 and 12)
a. For any host-based intrusion detection system (HIDS) installed as a cybersecurity countermeasure on plant CSs/CDAs in the system(s) selected for inspection provide the following:
1) A list of CSs/CDAs and/or computers on which the HIDS has been installed;
2) Vendor technical literature on the HIDS product;
3) Current user-alterable HIDS-associated configuration settings within the CSs/CDAs;
4) The test procedures used to verify HIDS functionality and effectiveness;
5) The most recent testing results for each HIDS deployment;
6) The list of personnel with the authority and expertise to test, maintain and administer the HIDS;
7) The training details and personnel records for any vendor-provided product training,
8) The list of personnel who are authorized and trained to monitor the HIDS alerts and alarms;
9) If the HIDS is remotely monitored (e.g., at a fleet-level Security Operations Center

[SOC]) provide documentation on the measures employed to ensure that remote monitoring is performed in a secure manner that does not create additional exploitable vulnerabilities;

10) The procedures used by personnel when responding to and assessing a HIDS alert and/or alarm;
11) The procedures for updating the HIDS to maintain and augment any signatures and/or rulesets used by the HIDS; and
12) If the HIDS are integrated into a Security Information and Event Management (SIEM) system provide a description of how this is accomplished and the measures employed to ensure that SIEM integration is performed in a secure manner that does not create an attack pathway to the CSs/CDAs.

Issue Date: xx-xx-xxxx Page l 49 Rev 4

United States Nuclear Regulatory Commission 4 Initial Documentation Requests - RFI #2

b. For any network intrusion detection/protection system (NIDS/NIPS) installed as a cybersecurity countermeasure on the system(s) selected for inspection provide the following:
1) List of network locations, where a sensor has been installed;
2) Vendor technical literature on the NIDS/NIPS product;
3) Technical specifications for the sensors being used including:
i. Manufacturer ii. Make/Model iii. Firmware version iv. Throughput (packets/frames per second);
v. Security capabilities of the device (i.e. information gathering, logging, detection, and prevention, respectively)
4) Current user-alterable configuration settings;
5) The NIDS/NIPS test procedures;
6) The most recent testing results, including testing of the processing/bandwidth capacity of the individual sensors and overall NIDS/NIPS as a system;
7) List of personnel with authority and expertise to test, maintain and administer the NIDS/NIPS;
8) Training details and personnel records for any vendor-provided product training;
9) List of personnel who are authorized and trained to monitor the NIDS/NIPS alerts and alarms;
10) If the NIDS/NIPS is remotely monitored (e.g., at a fleet-level SOC) provide documentation on the measures employed to ensure that remote monitoring is performed in a secure manner that does not create additional exploitable vulnerabilities;
11) Procedures used by personnel when responding to and assessing a NIDS/NIPS alert and/or alarm;
12) The procedures for updating the NIDS/NIPS to maintain and augment any signatures and/or rulesets used by the NIDS/NIPS;
13) Specifications on mechanisms used to provide message traffic to NIDS/NIPS sensors (e.g., Ethernet switch SPAN/mirror ports, aggregating network taps, passive taps, etc.);

Issue Date: xx-xx-xxxx Page l 50 Rev 4

United States Nuclear Regulatory Commission 4 Initial Documentation Requests - RFI #2

14) Bandwidth/traffic analysis that shows expected message processing load for each sensor; and
15) Information on the NIDS/NIPS rules and/or signatures specifically developed to monitor and assess any industrial traffic employed by various plant systems (e.g., MODBUS/TCP, Distributed Network Protocol (DNP3), Inter-Control Center Communications Protocol (ICCP), Process Field Net (PROFINET), EtherNet/IP, HART-IP, etc.).
c. For any SIEM and/or log collection and analysis products (e.g., a System Log (SYSLOG) server) installed as a cybersecurity countermeasure on plant networks provide the following:
1) List of computers, systems, CDAs, devices, other security mechanisms (e.g., HIDS, NIDS/NIPS, firewalls, Network Access Control (NAC), etc.) and network components (e.g., switches, routers, etc.) from which logs are reported or extracted from for analysis purposes;
2) Vendor literature on the SEIM product;
3) The specification on the types of logs and log contents reported or extracted from each of the aforementioned items listed in the prior/first bullet;
4) Technical details on the communication connectivity used to report or extract information from each of the aforementioned items listed in the first bullet;
5) Current user-alterable configuration settings for the SEIM;
6) The SEIM test procedures used to validate its functionality;
7) The most recent testing results;
8) List of personnel with the authority and expertise to test, maintain and administer the SEIM;
9) Training records for any vendor-provided product training;
10) List of personnel who are authorized and trained to monitor the SEIM alerts and alarms;
11) Explain how the SIEM is monitored and alerts processed to response personnel;
12) If the SIEM is remotely monitored (e.g., at a fleet-level SOC) provide documentation on the measures employed to ensure that remote monitoring is performed in a secure manner that does not create additional exploitable vulnerabilities; Issue Date: xx-xx-xxxx Page l 51 Rev 4

United States Nuclear Regulatory Commission 4 Initial Documentation Requests - RFI #2

13) Procedures used by personnel when responding to and assessing a SEIM alert and/or alarm;
14) Procedures for updating SIEM to augment or enhance its analytical mechanisms for detecting new threats, malware and attack methodologies; and
15) Details on the rules and/or analysis metrics specifically developed to enable the SIEM to receive, process, and assess threats to, and attacks on safety and security CSs/CDAs.

Return to Request for Information #2 Issue Date: xx-xx-xxxx Page l 52 Rev 4

United States Nuclear Regulatory Commission 4 Initial Documentation Requests - RFI #2

6. Provide documentation for intra-security level firewalls and boundary devices used to protect the selected system(s)
a. For any intra-security level firewall or boundary device used to protect the selected system provide the following:
i. Vendor technical literature on the firewall or boundary device product; ii. Copies of Firewall and/or boundary device configuration files iii. Copies of firewall and/or boundary device log files for the last 30 days iv. Results of functional tests performed since the last inspection on either the firewall or boundary device.
v. Cross reference of what devices are inheriting protections from these devices vi. Firewall or boundary device rule sets that have been implemented vii. Documentation of log review for affected firewall and/or boundary devices viii. integration is performed in a secure manner that does not create an attack pathway to the CSs/CDAs.

Return to Request for Information #2 Issue Date: xx-xx-xxxx Page l 53 Rev 4

United States Nuclear Regulatory Commission 4 Initial Documentation Requests - RFI #2

7. Copies of all periodic reviews of the access authorization list for the selected system(s) since the last inspection
a. Provide evidence (e.g., work orders, periodic maintenance schedules, critical group changes, etc.) of the periodic review of access authorization lists for select system(s).

Return to Request for Information #2 Issue Date: xx-xx-xxxx Page l 54 Rev 4

United States Nuclear Regulatory Commission 4 Initial Documentation Requests - RFI #2

8. Baseline configuration data sheets for the selected system(s)
a. Provide baseline configurations for selected system;
i. If baseline information IAW E.10.3 in not maintained in a consolidated format, provide a summary sheet of documents that contain the baseline information and marked copies of those documents referenced.
b. Provide evidence for the last time the baseline configurations were audited Return to Request for Information #2 Issue Date: xx-xx-xxxx Page l 55 Rev 4

United States Nuclear Regulatory Commission 4 Initial Documentation Requests - RFI #2

9. Any security impact analysis performed on the selected system(s) since the last inspection
a. Provide documentation to describe any recent changes to the asset, e.g.,

Engineering Design Changes, work orders

b. For each recent change provide a Security Impact Analysis, or justification as to why the changes are not significant enough to require one
c. Provide procedures for Security Impact Analysis Return to Request for Information #2 Issue Date: xx-xx-xxxx Page l 56 Rev 4

United States Nuclear Regulatory Commission 4 Initial Documentation Requests - RFI #2

10. Copies of purchase order documentation for any new equipment purchased for the selected system(s) since the last inspection
a. Provide documentation showing supply chain from the point of egress to the point of destination.
b. For each purchase order, provide a Security Impact Analysis on the digital components that will be affected by the new purchase.
c. Provide the current status of the purchase (e.g. Sitting in the warehouse, currently in a development environment).

Return to Request for Information #2 Issue Date: xx-xx-xxxx Page l 57 Rev 4

United States Nuclear Regulatory Commission 4 Initial Documentation Requests - RFI #2

11. Copy of any cyber security drills performed since the last inspection
a. Provide a copy of any cyber security/incident response drills performed since the last cyber security inspection to include
i. Copy of the drill scenario ii. Any Corrective Actions generated as a result of the drill iii. List of personnel involved with the drill Return to Request for Information #2 Issue Date: xx-xx-xxxx Page l 58 Rev 4

United States Nuclear Regulatory Commission 4 Initial Documentation Requests - RFI #2

12. Copy of the individual recovery plan(s) for the selected system(s) including documentation of the results of the last time the backups were executed.
a. Copy of individual recovery plans for the selected system(s) indicating how the affected equipment would be restored to operable
b. Copy of the last time that the backups were executed
c. Copy of any corrective actions generated as a result of attempting to restore a backup Return to Request for Information #2 Issue Date: xx-xx-xxxx Page l 59 Rev 4

United States Nuclear Regulatory Commission 4 Initial Documentation Requests - RFI #2

13. Corrective actions taken as a result of cyber security incidents/issues to include previous NRC violations and Licensee Identified Violations (LIVs) since the last inspection.

NEI 08-09, Revision 6 Review Elements Cyber security IP A.3.1.5, A.4.4.2, A4.4.3.1, A4.6, A4.9.1, A4.9.3, A4.9.4, A4.12, E3.2, Page 9, section E3.9, E3.11, E7.1, E7.4, E8.2, E10.6, E12 71130.10-02 CSP Performance Elements Inspection 10 CFR 73.54(d)(2), 10 CFR 73.55 (b)(10), RG 5.83, NEI 15-09 Requirements, General Guidance 02.08 Identification and Resolution of Problems

, item a

a. The licensee should provide a list of corrective actions since the previous NRC inspection. In this instance, corrective actions for applicable cyber related issues, including those related to vulnerability mitigation, should be tracked in a corrective action process consistent with physical security issues. The inspectors should be mindful that a recordable log review should be readily available to staff based upon guidance in RG 5.83 and NEI 15-09. The current physical security inspectors refer to this as a sample from their tickler file. In addition, inspectors should be mindful of the quality assurance applicability and how this equates to the dispositioning of corrective actions. Inspectors should assess the administrative procedures to ensure that cyber is encapsulated with the processes. References to RG 5.83, NEI 15-09, 73.55(b)(10), should have some record of a change and evaluation to add to the respective procedures.

Should be encapsulated in the Cyber Event Notifications section Return to Request for Information #2 Issue Date: xx-xx-xxxx Page l 60 Rev 4

United States Nuclear Regulatory Commission 5 Initial Documentation Requests - RFI #3 Request For Information #3 is the information to be provided to the NRC at the start of the inspection

1. Any cyber security event reports submitted in accordance with 10 CFR 73.77 since the last inspection.

NEI 08-09, Revision 6 Review Elements Cyber security IP E.7.1 through E.7.6, E.9.5, E.9.8 Page 10, section CSP Performance Elements 71130.10-02 A.2.2.13, A.2.2.15, A.2.2.18 Inspection Requirements, General Guidance, 02.10 Cyber Security Event Reporting, item a

a. Provide all Cyber security Event Notifications (CSENs) submitted to the NRC Headquarters Operations Center via the Emergency Notification System (ENS) since November 3, 2015.3
b. For each CSEN ensure the following information is contained within the CSEN:
1) Indicate what systems, networks, devices and security mechanisms were, or were believed to be, involved in each event; and
2) Documentation showing what incident response actions were taken.
3) Refer to RG 5.83 and NEI 15-09 for supporting information 3

Title 10, Code of Federal Regulations, Physical Protection of Plants and Materials, Part 73, Section 77, Cyber security Event Notifications (10 CFR 73.77), requires licensees subject to the provisions of 10 CFR 73.54, Protection of Digital Computer and Communication Systems and Networks, to submit Cyber security Even Notifications as described in RG 5.83, Cyber security Event Notifications, dated July 2015.

Issue Date: xx-xx-xxxx Page l 61 Rev 4

United States Nuclear Regulatory Commission 5 Initial Documentation Requests - RFI #3 Return to Request for Information #3 Issue Date: xx-xx-xxxx Page l 62 Rev 4

United States Nuclear Regulatory Commission 5 Initial Documentation Requests - RFI #3

2. Updated copies of corrective actions taken as a result of cyber security incidents/issues to include previous NRC violations and Licensee Identified Violations (LIVs) since the Corrective Actions for RFI #2 were submitted.

NEI 08-09, Revision 6 Review Elements Cyber security IP A.3.1.5, A.4.4.2, A4.4.3.1, A4.6, A4.9.1, A4.9.3, A4.9.4, A4.12, E3.2, Page 9, section E3.9, E3.11, E7.1, E7.4, E8.2, E10.6, E12 71130.10-02 CSP Performance Elements Inspection 10 CFR 73.54(d)(2), 10 CFR 73.55 (b)(10), RG 5.83, NEI 15-09 Requirements, General Guidance 02.08 Identification and Resolution of Problems

, item a

a. The licensee should provide a list of corrective actions that were generated since the corrective actions provided for RFI #2 were submitted.
i. Also include any corrective actions generated as a result of self assessments performed prior to the inspection and any updates to previously submitted corrective actions Return to Request for Information #3 Issue Date: xx-xx-xxxx Page l 63 Rev 4

United States Nuclear Regulatory Commission Appendix A - Glossary of Terms A number of terms and words are used in this document and to ensure an alignment on the precise meaning and usage of these terms the following glossary provides the interpretation and meaning used herein.

Word/Term/Phrase Intended Meaning/Usage Air-gapped See Isolated COTS COTS means commercial off the-shelf devices or software (i.e., shipped and received with normal and expected commercial vendor shipping/packaging such as shrink-wrap, tamper seal or other recognizable packaging and marking) that is available from multiple sources developed to run unmodified as delivered by the original developer. This would include such products as commercially available OSs (e.g., MS Windows, Linux, O SX, TXS, etc.), general purpose application software (i.e., MS Office, Corel, Open Office, Structured Query Language (SQL) Server, etc.), and Open Source products, where builds can be verified and are obtained from known trusted sources. Firmware such as Basic Input/output System (BIOS) updates, field upgradable commercial sensors (i.e., Pressure Transmitters, Flow Sensors, Level Sensors, etc.), and other off the shelf firmware upgradable hardware (i.e., Hard Drives, Video Cards, Digital Versatile Disc (DVD) Drives, Embedded OS, etc.) would be considered COTS.

DCS DCS Distributed Control System, is a computerized control system for a process or plant, which combines the following into a single automated system: human machine interface (HMI), logic solvers, data acquisitions components, historian, common database, alarm/event management, and a common engineering suite.

DCSs follow very specific design requirements and contain all of the elements noted above. A systems of distributed data acquisition components would not be considered a DCS.

Fieldbus Fieldbus is a specialized LAN used to provide intercommunications among smart instruments and control elements for data acquisition and process control purposes. A fieldbus can be based on Ethernet technology (e.g., PROFINET) or on a less complex serial communications technology better suited for hazardous areas and designed to provide device power (e.g., Foundation Fieldbus H1 or PROFIBUS) or it can be based on wireless communication technology (e.g., WirelessHART or ISA 1100.11a).

HIDS Host-Based Intrusion Detection System is a technology generally consisting of software installed onto one or more computers in order to detect abnormal, suspicious and/or malicious activity in those computers using various means of detection, plus a central console that collects, correlates and analyzes information from the participating Issue Date: xx-xx-xxxx Page l 64 Rev 4

United States Nuclear Regulatory Commission Appendix A - Glossary of Terms Word/Term/Phrase Intended Meaning/Usage computers in order to determine if an alert should be generated.

Isolated Isolated means an individual device/CDA that has no form of digital communication interconnectivity, either wired or wireless, including LAN and WAN connectivity as well as point-to-point/multi-point serial connectivity. This segregation could be either due to the absence of communication interfaces (hardware and/or software) or due to the existing interfaces having been disabled physically, electrically or administratively.

Isolated LAN Isolated LAN is a wired (not wireless) local area network physically constrained to a specified geographic area, having no gateways or bridges that provide information/message exchanges with any other network, and used to interconnect a defined and specific set of devices/elements in order to perform/support a specified set of functions LAN Local Area Network is a network that covers a smaller geographic area (e.g., an industrial facility) and thus can be implemented using communications technologies that have a shorter range such as Ethernet.

NIDS/NIPS Network-Based Intrusion Detection System is a technology generally consisting of one or more specialized computers (called sensors) used to monitor and process network message traffic between and among network-connected computers in order to detect abnormal, suspicious and/or malicious activity using various means of detection, plus a central console that collects, correlates and analyzes information from the sensors in order to determine if an alert should be generated.

SIEM Security Information and Event Management is an information collection and analysis technology that uses logs and other types of information collected from computers, security devices (e.g., firewalls),

network components (e.g., routers and switches) and other cyber detective systems (e.g., NIDS/NIPS and HIDS) to attempt to detect and identify abnormal, suspicious and/or malicious activity using a range of analytical methods.

WAN Wide-Area Network is a network that covers a large geographic area (e.g., a country) and thus requires the use of telecommunication infrastructure suitable for long distance data transmission such as FDDI, ATM and SONET technologies. WANs may also incorporate an over greater number of member nodes than would be typical for a LAN. The larges example of a WAN is the INTERNET.

Issue Date: xx-xx-xxxx Page l 65 Rev 4

United States Nuclear Regulatory Commission Appendix A - Glossary of Terms Word/Term/Phrase Intended Meaning/Usage WLAN Wireless LAN is a LAN that makes use of radio-based communications technologies (e.g., Wi-Fi or Worldwide Interoperability for Microwave Access (WiMAX)) to interconnect the member nodes.

A subset or variation of this are the PICONET and the personal area network (PAN) which use short-range radio technologies (e.g., Bluetooth) and thus are more distance/coverage-area limited.

Return to Table of Contents Issue Date: xx-xx-xxxx Page l 66 Rev 4

United States Nuclear Regulatory Commission Appendix B - Transmittal Letter (Example)

The following transmittal letter template should be used as the RFI and notification letter to the licensee. The letter should be sent at least 120 days prior to the start date of the cyber security inspection. To obtain the complete MS Word template, double click on the MS Word icon.

Cyber-Security RFI and Notification Ltr Issue Date: xx-xx-xxxx Page l 67 Rev 4

United States Nuclear Regulatory Commission Appendix B - Transmittal Letter (Example)

Return to Table of Contents Issue Date: xx-xx-xxxx Page l 68 Rev 4

United States Nuclear Regulatory Commission Appendix C - List of Acronyms LIST OF ACRONYMS ACL Access Control List AP Access Point ASCII American Standard Code for Information Interchange ATM Asynchronous Transfer Mode AV Anti-Virus BIOS Basic Input/output System BOP Balance-of-Plant CCB Configuration Control Board CDA Critical Digital Asset CFR Code of Federal Regulations COTS Commercial Off-The-Shelf CS Critical System CSAT Cyber security Assessment Team CSEN Cyber security Event Notification CSIRT Cyber security Incident Response Team CSP Cyber security Plan CSV Comma Separated Values DCS Distributed Control System DEC Digital Equipment Corporation DNP Distributed Network Protocol DVD Digital Versatile Disc EIN Equipment ID Number EP Emergency Preparedness EPN Equipment Part Number FDDI Fiber Distributed Data Interface HART Highway Addressable Remote Transducer HIDS Host-based intrusion Detection Systems HMI Human Machine Interface HTTP Hypertext Transfer Protocol I/O Input/output ICCP Inter-Control Center Communications Protocol IP Inspection Procedure IPX/SPX Internetwork Packet Exchange/Sequenced Packet Exchange IRIG-B Inter-Range Instrumentation Group Time Code B ISA International Society for Automation (

LAN Local Area Network M&TE Measurement and Test Equipment MAC Media Access Control Issue Date: xx-xx-xxxx Page l 69 Rev 4

United States Nuclear Regulatory Commission Appendix C - List of Acronyms MD Mobile Device NAC Network Access Control NAS Network-Attached Storage NEI Nuclear Energy Institute NET Network NIDS/NIPS Network Intrusion Detection System/Network Intrusion Prevention System NRC U.S. Nuclear Regulatory Commission O&M Operational and Management OS Operating System PBX Private Branch Exchange PLC Programmable Logic Controller PM Portable Media PROFIBUS Process Field Bus PROFINET Process Field Net RFI Request for Information RG Regulatory Guide Rlogin Remote Login SCADA Supervisory Control and Data Acquisition SCM Software Configuration Management SDH Synchronous Digital Hierarchy SDLC Software Development Life Cycle SIEM Security Information And Event Management SGI Safeguards Information SNA Systems Network Architecture SNMP Simple Network Management Protocol SOC Security Operations Center SONET Synchronous Optical Networking SPM Software Patch Management SQA Software Quality Assurance SQL Structured Query Language SSEP Safety, Security, and Emergency Preparedness SSH Secure Shell SYSLOG System Log TCP/IP Transmission Control Protocol/Internet Protocol USB Universal Serial Bus V&V Verification and Validation VoIP Voice Over Internet Protocol VPN Virtual Private Network WAN Wide-Area Network WiMAX Worldwide Interoperability for Microwave Access XML Extensible Markup Language Issue Date: xx-xx-xxxx Page l 70 Rev 4

United States Nuclear Regulatory Commission Appendix C - List of Acronyms Return to Table of Contents Issue Date: xx-xx-xxxx Page l 71 Rev 4

Retrieved from "https://kanterella.com/w/index.php?title=ML21294A274&oldid=3404198"