Text

Letter from W. Gross to S. Atack, Endorsement of Nuclear Energy Institute 13-10, Cyber Security Control Assessments, Revision 7, Dated October 29, 2021
	ML21342A203
Person / Time
Site:	Nuclear Energy Institute
Issue date:	10/29/2021
From:	Gross W; Nuclear Energy Institute
To:	Sabrina Atack; Office of Nuclear Security and Incident Response
	Yip B
References
	NEI 13-10, Rev 7
	Download: ML21342A203 (119)
	v • d • e

WILLIAM R. GROSS Director, Incident Preparedness 1201 F Street, NW, Suite 1100 Washington, DC 20004 P: 202.739.8123 wrg@nei.org nei.org October 29, 2021 Ms. Sabrina Atack Director, Division of Physical and Cyber Security Policy Nuclear Security and Incident Response U.S. Nuclear Regulatory Commission Washington, DC 20555-0001

Subject:

Endorsement of Nuclear Energy Institute 13-10, Cyber Security Control Assessment, Revision 7, Dated October 2021 Project Number: 689

Dear Ms. Atack:

By letter dated September 7, 2017 1, the Nuclear Regulatory Commission (NRC) found NEI 13-10, Cyber Security Control Assessments, Revision 6, dated August 2017, acceptable for use by licensees to address the security controls provided in their cyber security plans.

Lessons learned through the implementation of cyber security programs over the last few years have indicated that guidance improvements were necessary to enhance clarity, enable efficient and consistent program implementation, and to support NRC oversight activities. Accordingly, the Nuclear Energy Institute (NEI) 2, on behalf of its members, submitted four white papers proposing changes to NEI 10-04, Identifying Systems and Assets Subject to the Cyber Security Rule, Revision 2, and NEI 13-10, Revision 6 for NRC review.

By letters dated May 19, 2020 (for Emergency Preparedness related changes) 3, August 14, 2020 (for Balance of Plant (BOP) related changes) 4, August 28, 2020 for Safety-Related and Important-to-1 Agencywide Document Access and Management System (ADAMS) Accession No. ML17240A002 2

The Nuclear Energy Institute (NEI) is the organization responsible for establishing unified industry policy on matters affecting the nuclear energy industry, including the regulatory aspects of generic operational and technical issues. NEI's members include all entities licensed to operate commercial nuclear power plants in the United States, nuclear plant designers, major architect/engineering firms, fuel cycle facilities, nuclear materials licensees, and other organizations and entities involved in the nuclear energy industry.

3 ADAMS Accession No. ML20129J981 4

ADAMS Accession No. ML20209A442

Ms. Sabrina Atack October 29, 2021 Page 2 Safety related changes) 5, and June 30, 2021 (for Physical Security related changes) 6, the NRC stated that they reviewed the white papers based on NRC regulations and guidance, and based on their reviews, the staff concluded that the methods in the white papers for identifying and protecting critical digital assets were consistent with NEI 08-09, Revision 6.

The attached NEI 13-10, Revision 7, incorporates the changes discussed in the four white papers and reviewed by the NRC. In addition, NEI has made the following conforming and non-substantive changes to improve clarity and flow of the document:

1) In Section 2, added Revision 7 summary

2) In Section 3, added a note with respect to BOP CDAs, referring the reader to Section 3.2

3) In Section 3.1, we deleted the last paragraph to improve clarity and possible reader confusion

4) In Section 3.2, we made (i) flow changes, (ii) deleted the paragraph on Question 5 because it is not needed, (iii) deleted some wording because it is more appropriately covered in NEI 10-04, and (iv) added some wording to help the reader understand the BOP White Paper changes

5) In Section 3.3, deleted wording more appropriately covered in NEI 10-04

6) In Appendix E, updated the appendix to reflect the four white papers, and deleted Question 5 because it is no longer needed

7) In Appendix F, updated the appendix to reflect the four white papers

8) Made other editorial changes NEI requests that the NRC review and endorse NEI 13-10, Revision 7, dated October 2021, by December, 2021. If any revisions to this document are desired, please include suggested wording and the technical data to support the proposed changes(s).

If you have any questions or require additional information, please contact Richard Mogavero, at (202) 739-8174 or rm@nei.org, or me.

Sincerely, William R. Gross Attachment c: Mr. James D. Beardsley, NSIR/CSD, NRC NRC Document Control Desk 5

ADAMS Accession No. ML20223A256 6

ADAMS Accession No. ML21140A140

NEI 13-10 [Revision 7]

Cyber Security Control Assessments October 2021

[BLANK PAGE]

NEI 13-10 [Revision 7]

Nuclear Energy Institute Cyber Security Control Assessments October 2021 Nuclear Energy Institute, 1201 F Street N. W., Suite 1100, Washington D.C. (202.739.8000)

[BLANK PAGE]

ACKNOWLEDGMENTS This document was initially prepared by the nuclear power industry with input and guidance from the United States Nuclear Regulatory Commission. While many individuals contributed heavily to this document, NEI would like to acknowledge the significant leadership and contribution of the following individuals.

Executive sponsor:

James Meister Exelon Corporation Core project team:

Patrick Asendorf Tennessee Valley Authority Matthew Coulter Duke Energy Corporation Ronald Cowley Talen Energy Corporation Nathan Faith Exelon Corporation Pam Frey Talen Energy Corporation Glen Frix Duke Energy Corporation Jan Geib South Carolina Electric & Gas Company William Gross Nuclear Energy Institute Christopher Kelley ExelonCorporation Ken Levandoski Exelon Corporation Tony Lowry Ameren Missouri Jerry Mills Duke Energy Corporation Jay Phelps South Texas Project Nuclear Operating Company Don Robinson Dominion Generation Geoff Schwartz Entergy James Shank PSEG Services Corporation Manu Sharma Exelon Corporation Laura Snyder Tennessee Valley Authority Larry Tremonti DTE Energy Brad Yeates Southern Nuclear Operating Company Michael Zavislak Tennessee Valley Authority NOTICE Neither NEI, nor any of its employees, members, supporting organizations, contractors, or consultants make any warranty, expressed or implied, or assumes any legal responsibility for the accuracy or completeness of, or assumes any liability for damages resulting from any use of, any information, apparatus, methods, or process disclosed in this report, or warrants that such may not infringe privately owned rights.

[BLANK PAGE]

NEI 13-10 (Revision 7)

October 2021 EXECUTIVE

SUMMARY

When the methodology to address cyber security controls was developed in the template for the cyber security plan, the industry believed there would be small handfuls of digital assets (CDAs) that would require a cyber security assessment. However, NEI understands that plants, including those with no digital Safety systems, have identified many hundreds if not thousands of CDAs.

Included are assets that range from those directly related to operational safety and security to those that, if compromised, would have no direct impact on operational safety, security, or emergency response capabilities.

This guidance document was developed to streamline the process for addressing the application of cyber security controls to the large number of CDAs identified by licensees when conducting the analysis required by 10 CFR 73.54(b). The goal is to minimize the burden on licensees of complying with their NRC approved cyber security plan, while continuing to ensure that the adequate protection criteria of 10 CFR 73.54 are met.

i

NEI 13-10 (Revision 7)

October 2021

[BLANK PAGE]

ii

NEI 13-10 (Revision 7)

October 2021 TABLE OF CONTENTS EXECUTIVE

SUMMARY

............................................................................................................. i

1. INTRODUCTION .......................................................................................................... 1 1.1. BACKGROUND ............................................................................................................ 1 1.2. SCOPE ............................................................................................................................ 1 1.3. PURPOSE ....................................................................................................................... 1

2. USE OF THIS DOCUMENT ........................................................................................ 2

3. CONSEQUENCE ASSESSMENT OF CDAS ............................................................. 4 3.1. EP CDAS ......................................................................................................................... 5 3.2. BOP CDAS ...................................................................................................................... 5 3.3. INDIRECT CDAS .......................................................................................................... 7 3.4. DIRECT CDAS............................................................................................................... 7

4. EP FUNCTION MAINTAINED THROUGH ALTERNATE MEANS ................... 9

5. BASELINE CYBER SECURITY PROTECTION CRITERIA ................................ 9 5.1. BOP CDAS THAT COULD CAUSE A REACTOR SCRAM/TRIP ...................... 10

6. CYBER SECURITY CONTROL ASSESSMENTS OF DIRECT CDAS .............. 10

7. ACCESS AUTHORIZATION ASSESSMENTS AND PROTECTIONS ............... 12 Appendix A. FIGURE 1 - CONSEQUENCE ASSESSMENT .......................................... A-1 Appendix B. TEMPLATE ..................................................................................................... B-1 Appendix C. [DELETED] ..................................................................................................... C-1 Appendix D. DIRECT CDA CLASSES AND ASSESSMENTS ........................................ D-1 Appendix E. NEI 13-10 FREQUENTLY ASKED QUESTIONS ...................................... E-1 Appendix F. GUIDANCE FOR APPLICATION OF NEI 08-09 APPENDIX E CONTROLS TO INDIRECT, EP, AND BOP SCRAM/TRIP CDAS ............................F-1 iii

NEI 13-10 (Revision 7)

October 2021

[BLANK PAGE]

iv

NEI 13-10 (Revision 7)

October 2021 CYBER SECURITY CONTROL ASSESSMENTS

1. INTRODUCTION 1.1. BACKGROUND Title 10 of the Code of Federal Regulations, Part 73, Physical Protection of Plants and Materials, Section 73.54, Protection of Digital Computer and Communication Systems and Networks, requires that licensees provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks, up to and including the design basis threat as described in 10 CFR 73.1.

10 CFR 73.54 requires that each licensee currently licensed to operate a nuclear power plant submit a cyber security plan (CSP) for Commission review and approval. Current applicants for an operating license or combined license must submit with or amend their applications to include a cyber security plan.

Further, 10 CFR 50.34(c)(2) states in part that Each applicant for an operating license for a utilization facility that will be subject to the requirements of 10 CFR 73.55 of this chapter must include a cyber security plan in accordance with the criteria set forth in 10 CFR 73.54 of this chapter. The Cyber Security Plan establishes the licensing basis for the Cyber Security Program.

The purpose of the Cyber Security Plan is to provide a description of how the requirements of 10 CFR 73.54, Protection of digital computer and communication systems and networks (Rule) are implemented.

Section 3.1.6 of the licensees CSP describes how that licensee addresses cyber security controls for digital assets that have been identified for protection against cyber attacks.

NEI 13-10 provides guidance licensees may use to streamline the process to address cyber security controls for CDAs consistent with the methodology described in CSP Section 3.1.6.

1.2. SCOPE This document provides guidance licensees may use to streamline the process for addressing the application of cyber security controls to those digital assets that a site specific analysis, performed in accordance with the requirements of 10 CFR 73.54 (b)(1),

determined require protection from cyber attacks up to and including the design basis threat as described in 10 CFR 73.1.

1.3. PURPOSE The purpose of this document is to provide guidance licensees may use to address cyber security controls for CDAs consistent with the methodology described in Section 3.1.6 of the Cyber Security Plan.

1

NEI 13-10 (Revision 7)

October 2021

2. USE OF THIS DOCUMENT The following method may optimize the use of the guidance in this document:

a) PRINT this document.

b) GATHER CDA-related information documented when implementing CSP Sections 3.1.3, 3.1.4, and 3.1.5.

c) PERFORM a consequence assessment of CDAs using the guidance in Section 3 of this document.

d) USE the guidance in Sections 3, 4, 5, 6, and 7 of this document to divide the CDAs identified into categories, Emergency Preparedness (EP), Balance of Plant (BOP),

Indirect, and Direct CDAs, for streamlining the application of cyber security controls to identified CDAs consistent with Section 3.1.6 of the CSP.

e) DOCUMENT the assessment and RETAIN the documents in accordance with the CSP.

In order to promote consistent implementation of the guidance, an implementing template and a series of worked examples have been developed. The examples intend to be both consistent with the guidance, and illustrative of the level of acceptable documentation. The template and examples are incorporated into Revision 1 to NEI 13-10. The body of Revision 1 was unchanged from Revision 0. The template and examples are incorporated as Appendices B and C [has been deleted, see Revision 7 below], respectively.

Revision 2 to NEI 13-10 incorporates Section 6, Cyber Security Control Assessments of Direct CDAs and Appendix D. The guidance in Section 6 and Appendix D implements cyber security control assessments for Direct CDAs in a manner consistent with Section 3.1.6 of CSPs.

Revision 3 to NEI 13-10 builds on the guidance incorporated into Revision 2. Minor changes were made to the body of the document to: address an omission from Revision 2 in Section 6 regarding the use of the term access; to make it clear that the assessments provided in Appendix D do not cover all of the cyber security controls referenced in cyber security plans; and that this guidance may be used by licensees who have used RG 5.71 as a basis for their Cyber Security Plans. Finally, enhancements to the document were made to reflect lessons learned from early use of the document. These enhancements include removal of certain examples of Direct CDAs in Section 3.2 of Revision 2, introduction of a streamlining technique for certain balance-of-plant CDAs, corresponding clarifications to affected examples in Appendix C [has been deleted], and enhancements to the baseline controls for certain balance-of-plant CDAs to ensure consistency with the CIP Reliability Standards.

Revision 4 incorporates additional CDA classes and assessments into Appendix D, building on the work added in Revision 2. Conforming changes were made to the following Class control responses: D1.21 Third Party Products and Controls, and D3.21 Fail in Known (Safe) State. Revision 5 addresses lessons learned from a workshop conducted in 2016 that included industry and NRC observers. Revision 5 modified Section 3 to enhance clarity for 2

NEI 13-10 (Revision 7)

October 2021 assigning CDAs to categories. Tables 1 and 2 from Revision 4 were removed and the guidance contained in those tables was moved to body of the text. Figures 1 and 2 in Appendix A were used to develop a sample template in Appendix B. The BOP category was added to the example template in Appendix B. Changes to reflect the enhancements to Revision 5 were incorporated into the examples in Appendix C [has been deleted]. Two additional Appendices were added. Appendix E contains questions and answers based on lessons learned. Appendix F addresses NEI 08-09, Revision 6 programmatic controls for non-Direct CDAs.

Revision 6 addresses comments resulting from the NRCs review of NEI 13-10, Revision 5.

Those comments were provided to NEI by letter dated July 21, 2017 (Adams Accession Number: ML17179A266). The following three items were addressed in Revision 6:

1. Revision 6 was clarified regarding the term safety functions with respect to the identification of CDAs as Direct or Indirect. Conforming changes were made to questions 1 and 2 in Appendix E.

2. Question 6 of Appendix E was clarified to indicate that for limited capability devices, detection may be possible using existing administrative measures.

3. The template in Appendix B and examples in Appendix C [has been deleted] were clarified to correctly reference the figures in Appendix A.

Revision 7 incorporates NEI white paper guidance for the identification and protection of digital assets associated with Emergency Preparedness, Balance of Plant, Safety Related and Important-to-Safety, and Security functions throughout the document. This revision also modifies the following four appendices:

1. A new Section 7 has been added to include information regarding protection of data associated with Access Authorization system.

2. Appendix A figure to reflect the changes to NEI 10-04 and the CDA Impact Assessment Form in NEI 13-10, Appendix B.

3. Appendix B, CDA Impact Assessment Form has been updated based on the guidance associated with the identification and protection of digital assets associated with Emergency Preparedness, Balance of Plant, Safety-Related and Important-to-Safety, and Security functions. Further, the Emergency Preparedness section has been moved to NEI 10-04. The analysis for EP within this document is addressed in block 3.1 and the EP blocks to the right of block 3.1 in the associated Appendix A figure.

4. Appendix C and all references to this appendix have been deleted and examples will be developed based on implementation lessons learned. Developed examples will use the new Appendix B template and will be located on the NEI Cyber Security webboard as a stand-alone document.

3

NEI 13-10 (Revision 7)

October 2021

5. Appendix E and F have been modified to incorporate changes based on the NEI white paper guidance for the identification and protection of digital assets associated with Emergency Preparedness, Balance of Plant, Safety-Related and Important-to-Safety, and Security functions.

3. CONSEQUENCE ASSESSMENT OF CDAS Section 3.1.6 of the CSP allows licensees to address the security controls provided in the CSP using alternate security controls if they provide at least the same protection as the required security controls. The Consequence Assessment provided in NEI 13-10 provides a method to assess alternate means of protecting low consequence CDAs (i.e., CDAs that are not Direct as described in NEI 13-10) from cyber attacks. The technical basis of the Consequence Assessment provided in this document is that the combination of the criteria for being a non-Direct CDA and the implementation of the resulting baseline cyber security controls provides equal protection as the protection provided by the required technical security controls in NEI 08-09.

Licensees may use the guidance detailed in this section to categorize low consequence CDAs into EP, BOP, or Indirect based on the potential consequence of a cyber compromise of the CDAs and to identify alternate security controls that are appropriate for the CDAs.

Any CDA that has not been determined to be a low consequence CDA is a Direct CDA.

Appendix D of this document provides examples of cyber assessments for certain Direct CDAs. A Consequence Assessment may result in the determination that certain baseline cyber security controls specified in Section 5 of this document, Baseline Cyber Security Protection Criteria, provide adequate cyber security protection for the CDA. The Consequence Assessment and the baseline requirements in Section 5 may be used as a means to address the alternative analysis requirements specified in Section 3.1.6 of the CSP.

For digital assets associated with AA system data, see Section 7, Access Authorization Assessments and Protections, for more detail.

The CDAs SSEP function and the evaluation of the potential impacts resulting from a cyber attack on the CDA may result in the CDA being qualified to be categorized as an EP, BOP or Indirect CDA rather than a Direct CDA. However, redundancy is not used as a factor in determining if a CDA is an EP, BOP, Indirect or Direct CDA.

CDAs which perform multiple SSEP functions must be evaluated in this Consequence Assessment based the most consequential category (i.e., Direct, then either Indirect, BOP, or EP).

Consistent with Section 4.4 and 4.5 of their CSPs, licensees will establish a program to ensure that CDAs are continuously protected from cyber attacks including implementing any necessary measures to address new vulnerabilities in accordance with the CSP.

NEI 13-10 provides guidance for addressing technical cyber security controls for CDAs. As a result, cyber security controls from Appendix D, Technical Cyber Security Controls, and selected cyber security controls from Appendix E, Operational and Management Cyber Security Controls, of NEI 08-09 are addressed in NEI 13-10. The remaining Appendix E operational and management controls must be addressed programmatically in accordance with Section 3.1.6 of the CSP for CDAs (with the exception of BOP CDAs - see Section 3.2 4

NEI 13-10 (Revision 7)

October 2021 for additional information). Appendix F of NEI 13-10, Revision 7, provides a template to address the NEI 08-09, Appendix E, operational and management controls for CDAs not classified as Direct. Appendix F of NEI 13-10 describes the use of existing plant programs to address the NEI 08-09, Appendix E, controls for the non-Direct CDAs, consistent with CSP Section 3.1.6.

3.1. EP CDAS EP CDAs are those CDAs associated with licensees performance of required EP functions and where the screening process has determined a method that is independent and diverse does not exist to perform the EP function(s). Therefore, the compromise of the EP digital assets would adversely impact the EP function(s).

For EP CDAs, licensees may address the technical security controls provided in their CSP using the method provided in Section 3.1.6 of their CSP by implementing the baseline controls as described in Section 5, Baseline Cyber Security Protection Criteria or by following the guidance in Section 6, Cyber Security Control Assessments of Direct CDAs as applicable.

3.2. BOP CDAS BOP CDAs are those CDAs that were added to the scope of the cyber security rule during the resolution of FERC Order 706-B. The following language was included within licensee CSPs to include the balance-of-plant into the scope of 10 CFR 73.54:

Within the scope of NRCs cyber security rule at Title 10 of the Code of Federal Regulations (10 CFR) 73.54, systems or equipment that perform important to safety functions include structures, systems, and components (SSCs) in the balance of plant (BOP) that could directly or indirectly affect reactivity at a nuclear power plant and could result in an unplanned reactor shutdown or transient. Additionally, these SSCs are under the licensees control and include electrical distribution equipment out to the first inter-tie with the offsite distribution system.

NEI 10-04, Identifying Systems and Assets Subject to the Cyber Security Rule, Revision 3, provides guidance for identifying Critical Systems and CDAs. Section 4 of NEI 10-04 provides guidance for identifying and classifying Important-to-Safety and BOP important-to-safety plant systems. Section 5 of NEI 10-04 provides guidance for identifying and classifying Important-to-Safety and BOP important-to-safety CDAs.

The cyber security controls for Important-to-Safety CDAs are discussed in Section 3.3 Indirect CDAs and 3.4 Direct CDAs. The cyber security controls for BOP CDAs are described below.

The scope of the cyber security rule at 10 CFR 73.54 includes SSCs in the Balance of Plant out to the first inter-tie with the offsite distribution system that could result in an unplanned reactor shutdown or transient. BOP SSCs may have been designed and built with normal industrial quality and may not meet the standards in Appendix B to 5

NEI 13-10 (Revision 7)

October 2021 10 CFR Part 50. Licensees are not required to generate paperwork to document the basis for the design, fabrication, and construction of BOP equipment not covered by Appendix B. Instead, it is the intent to ensure that each licensee's cyber security program protect those BOP SSCs that could result in an unplanned reactor shutdown or transient. Unplanned reactor shutdown and transient is defined as, and consistent with, the NERCs CIP Reliability Standards as an event that results in the generated megawatts being reduced to zero within 15 minutes.

The language added to the CSPs includes a set of BOP CDAs that are of interest to FERC that can result in the generated megawatts being reduced to zero within 15 minutes. BOP CDAs (for facilities with LOW Impact on the BES) are associated with the administrative controls of:

Cyber Security Awareness; Control E.9, Training

Physical Security Controls; Control E.5, Physical Protection (or within the PA)

Electronic Access Controls; Air gapped or isolated by a deterministic device

Cyber Security Incident Response; Control E.7, Attack Mitigation and Incident

Response

Transient Cyber Assets and Removable Media malicious code risk mitigation: PMD Program; D.1.19, Access Control for Portable and Mobile Devices

Declaring and responding to CIP Exceptional Circumstances; Emergency Operating Procedures, Abnormal Operating Procedures, Emergency Preparedness Plan and Physical Security Plan; Required by NRC regulations Based upon the risk to the Bulk Electric System (BES) that some stations may possess, all or a portion of the BOP CDAs may be classified as BOP-Scram/Trip CDAs (facilities with MEDIUM or HIGH Impact on the BES) due to meeting one of the following criteria:

Aggregate highest rated net Real Power capability of the preceding 12 calendar months equal to or exceeding the loss of 1500 MWe or greater in a single Interconnection.

Determined through System studies that a unit must run in order to preserve the reliability of the BES.

BES Cyber Systems for those Generation Facilities that have been identified as critical to the derivation of Interconnection Reliability Operating Limits1 (IROLs) and their associated contingencies. IROLs may be based on dynamic System phenomena such as instability or voltage collapse. Derivation of these IROLs and their associated contingencies often considers the effect of generation inertia and Automatic Voltage Regulator response.

BES Cyber Systems for Special Protection Systems and Remedial Action Schemes that may be implemented to prevent disturbances that would result in exceeding IROLs if they do not provide the function required at the time it is required or if it operates outside of the parameters it was designed.

BOP CDAs that are not air gapped or isolated by a deterministic isolation device, or not within the PA.

1 Interconnection Reliability Operating Limits (IROLs) is defined by the NERC Glossary of Terms as A System Operating Limit that, if violated, could lead to instability, uncontrolled separation, or Cascading outages that adversely impact the reliability of the Bulk Electric System.

6

NEI 13-10 (Revision 7)

October 2021 Those BOP CDAs that are classified BOP-Scram/Trip CDAs will have the Baseline Cyber Security Protection Criteria discussed in Section 5 applied to protect the assets at the same level as the FERC regulated Generator Operators/Owners.

3.3. INDIRECT CDAS Indirect CDAs are those CDAs that cannot have an adverse impact on Safety or Security functions prior to their compromise or failure being detected and compensatory measures being implemented by a licensee. Scoping of Safety and Security functions are performed by using NEI 10-04 Revision 3.

Specifically, Indirect CDAs must meet all three of the following criteria:

1. If compromised, would not have an adverse impact on Safety or Security functions.

2. Are not indicators/annunciators solely relied-on for making Safety or Security decisions.

3. The compromise of which can be detected, and compensatory measures taken, prior to an adverse impact to Direct CDAs or Safety or Security functions.

Provide analysis including the following to show the compromise can be detected and mitigated prior to adverse impact:

a) Determine and document the time period required, once an Indirect CDA has been compromised, for both detection and compensatory measures to be taken prior to an adverse impact to Safety and Security functions. The time period required may be based on existing analyses.

b) Document a method, and associated implementing procedures, for the detection of an Indirect CDA compromise and/or failure.

c) Document implementation strategies for compensatory measures to eliminate the adverse impact to Safety, and Security functions in all operating modes.

d) Document the technical justification for how the detection activities and compensatory measures (i.e., Steps b and c above) for the Indirect CDA compromise and/or failure are sufficient and will occur within the time period determined by the licensee in Step a.

For Indirect CDAs, licensees may comply with the requirements of Section 3.1.6 of their Cyber Security Plans by documenting that the CDA meets the criteria described above and by implementing baseline controls for Indirect CDAs as described in Section 5.

3.4. DIRECT CDAS In general, Direct CDAs are those CDAs that have not been determined to be Indirect, BOP or EP CDAs. Since the required security controls in NEI 08-09 are addressed for Direct CDAs, it is not necessary to show that a CDA is a Direct CDA. Licensees may use streamlining techniques, when applicable, for addressing the applicability of security controls to Direct CDAs. These include the use of common controls, inherited controls, and type assessments when such measures adequately address attack pathways and 7

NEI 13-10 (Revision 7)

October 2021 vectors associated with the Direct CDAs. These techniques can reduce the effort required for addressing protections for Direct CDAs.

In general, the term common control means a particular security control whose implementation provides a security benefit to multiple CDAs. The term inherited controls (technical) refers to a situation in which a CDA receives protection from technical security controls (or portions of security controls) that are developed and implemented elsewhere such as on another CDA. Finally, the term type assessment or grouping of CDAs refers to a situation in which multiple CDAs share substantially similar technical features, functions and capabilities. For type assessments, a single assessment is created noting the differences, if any, between the devices.

In cases where a technical control cannot be implemented, a threat vector associated with the technical control exists, and the CDA is unable to inherit the associated protections from another CDA, an alternate control (including administrative controls if alternative technical security controls cannot be used to address the security controls) can be used to mitigate the associated risk. Section 3.1.6 of the CSP describes the criteria for the implementation of alternate security controls.

Section 6, Cyber Security Control Assessments of Direct CDAs and Appendix D of this document implements cyber security control assessments for Direct CDAs in a manner consistent with Section 3.1.6 of CSPs.

Redundancy should not be used as a factor in determining if a CDA is an Indirect, BOP, EP or Direct CDA.

Some examples of Direct CDAs:

Digital emergency diesel generator governor;

Digital turbine driven auxiliary feedwater pump governors;

RCS pressure instruments with control functions and/or input to the Reactor Protection System for initiation of a plant trip;

CDAs identified in accordance with Milestone 6; and

Security computer alarm station server(s).

8

NEI 13-10 (Revision 7)

October 2021

4. EP FUNCTION MAINTAINED THROUGH ALTERNATE MEANS

[DELETED]

5. BASELINE CYBER SECURITY PROTECTION CRITERIA An assessment using the guidance in Section 3 permits licensees to demonstrate that alternative controls and countermeasures are sufficient to provide adequate protection of CDAs. For these CDAs, the baseline set of cyber security protections are sufficient to provide high assurance that the CDAs are adequately protected against cyber attacks up to and including the design basis threat as described in 10 CFR 73.1.

Where these baseline cyber security criteria are not met, the licensee must document and implement additional security controls to ensure adequate protections are in place for the CDA. These additional security controls are implemented using the methodology in CSP Section 3.1.6.

Changes to the baseline cyber security controls must be reviewed in accordance with the CSP to ensure the non-Direct CDAs remain adequately protected from cyber attacks.

Where a licensee chooses to credit these baseline cyber security controls for an Indirect, BOP-Scram/Trip, or EP CDA, the licensee must confirm these baseline minimum controls criteria are met. EP CDAs may be considered to be adequately protected from cyber attacks if baseline criteria d, e, f, and g are met. A BOP-Scram/Trip CDA or Indirect CDA may be considered to be adequately protected from cyber attacks if all of the following baseline criteria are met:

a) The CDA, as identified using the analysis set forth in Section 3 of this document, is located within a Protected or Vital Area or the cyber security controls in NEI 08-09, Appendix E, Section E.5 Physical and Operational Environment Protection, are addressed.

b) The CDA and any interconnected assets do not have wireless internetworking communications technologies.

c) The CDA and any interconnected assets are either air-gapped or isolated by a deterministic isolation device. In order to properly fulfill their SSEP function, some non-Direct CDAs are excluded from the requirement to be air-gapped or isolated by a deterministic isolation device. These CDAs include but may not be limited to:

1. Communication systems such as a PBX, Radio systems, or other devices whose SSEP function requires external communication. These communication systems and networks must not provide an attack pathway to isolated devices, systems, or networks.

2. Log aggregation and event correlation servers which reside outside the deterministic isolation device or which reside on the corporate business networks to fulfill the site wide aggregation, monitoring, and alerting functions.

d) Use of portable media and mobile devices is controlled according to NEI 08-09 D.1.19 9

NEI 13-10 (Revision 7)

October 2021 in order to ensure the CDA will not be compromised as a result of the use of portable media and mobile devices.

e) Changes to the CDA are evaluated and documented before implementation to ensure the following:

1. Baseline security criteria remain in place and effective.

2. No new pathways or vulnerabilities have been created.

3. No change to CDA would now make it Direct.

4. Threat and vulnerability notifications received from credible sources are screened, evaluated, mitigated and dispositioned in accordance with the CSP.

f) The CDA, or the interconnected equipment that would be affected by the compromise of the CDA, is periodically checked to ensure the equipment is capable of performing its intended function. These checks could include any routine check performed to determine the functional or operational availability of the equipment. The periodicity of checks must be sufficient to ensure detection and mitigation of cyber attacks prior to an adverse impact to any Safety, Security, or EP functions resulting from cyber attacks.

Section 3.1.6(2)(d) of the CSP allows licensees to implement an alternate periodicity for security controls by documenting the basis for the alternate periodicity.

g) Ongoing Monitoring and Assessment is performed to ensure the security posture of the CDA is maintained by verifying that baseline security criteria remain in place.

5.1. BOP CDAS THAT COULD CAUSE A REACTOR SCRAM/TRIP

[DELETED]

6. CYBER SECURITY CONTROL ASSESSMENTS OF DIRECT CDAS Section 3.4, Direct CDAs, describes several streamlining techniques for performing cyber security control assessments. These techniques include the use of common controls, alternate controls, control inheritance, and type assessments.

Appendix D to this document provides type assessments for Direct CDAs. Appendix D provides a class description and a corresponding cyber security control assessment table for the class. The class description enumerates generic properties of a digital device relevant to addressing technical cyber security controls for devices having those properties. The class description also includes examples of digital devices in that class. The cyber security control assessment table addresses technical cyber security controls for the class. The assessment is provided in tabular format for ease of reference; however, the table may be incorporated into other tools at the licensees discretion.

Access- the term access as used in NEI 08-09 Rev. 6 Appendix D is defined as access to data, program code, logic or configuration settings within a CDA through a local or remote, 10

NEI 13-10 (Revision 7)

October 2021 machine or human interface that could result in an adverse impact to an SSEP function.

The cyber security control assessment table includes the following columns:

Control Number - the cyber security control number corresponding to NEI 08-09, Revision 6, Appendices D or E;

Control - the cyber security control name corresponding to NEI 08-09;

Common - the control may be implemented organizationally and applied to all CDAs;

Apply to CDA - licensee must address this control for the CDA or class;

Alternate - the cyber security control may be met through alternate means;

Not Applicable - the cyber security control is not applicable to the CDA; and,

Basis - provides a justification for the determination of control applicability (i.e.,

common, apply to CDA, alternate, or not applicable). The Basis column references or reproduces statements from the class document to support the justification. NOTE: cyber security control references in the Basis column of a specific assessment table are indices to those cyber security controls within that same assessment table.

The guidance in Appendix D of NEI 13-10 may be used as follows:

1) Determine the class for a given CDA using the CDAs technical documentation and the class description in Appendix D.

2) Use the Appendix D cyber security control assessment table for the class to identify those cyber security controls marked, Apply to CDA.

3) Address the controls identified in Step 2, above, in accordance with CSP Section 3.1.6.

Documentation of how the class was determined in Step 1, above, and how the cyber security controls were addressed in Step 3, above, should be retained and available for inspection.

Once the class of a given CDA has been determined, that information may be shared among licensees. For example, if a licensee determines that a Rosemount 3153N digital transmitter is a Class A.1 device, that information may be shared with other licensees.

Because it may be the case that devices with the same make and model number may not be identical (i.e., some devices with the same make and model number may have differing digital capabilities), licensees should confirm their CDAs meet the class description.

11

NEI 13-10 (Revision 7)

October 2021

7. ACCESS AUTHORIZATION ASSESSMENTS AND PROTECTIONS Licensees are required to evaluate digital assets used in the Access Authorization program in accordance with 10 CFR 73.54(b)(1), 10 CFR 73.55(b)(3), and 10 CFR 73.55(b)(7). Licensees are also required to ensure personal information is not disclosed to unauthorized persons [10 CFR 73.56(m)] and prevent unauthorized access to AA records and ensure AA records cannot be altered once committed to storage [10 CFR 73.56(o)]. This section provides licensees guidance on performing an analysis to identify digital assets that store and transmit AA data. Protection of AA data to prevent an adverse impact to security function may rely on manual data verification and/or cyber security controls. The purpose of this manual verification prior to entering elements of AA system data into the PSCS, is to ensure the confidentiality, integrity, and availability of data used to perform AA functions when digital assets storing and transmitting AA data are not required to be classified as critical digital assets.

Digital information systems and applications that store or transmit personally-identifiable information (PII) which is defined in NEI 03-01 (Nuclear Power Plant Access Authorization Program) as all information, unique to an individual, that is collected or developed during the implementation of the UAA or FFD program requirements, must be identified as digital AA assets. Licensee analysis of digital AA assets, used to facilitate the implementation of the AA program, will determine the security controls needed to comply with 10 CFR 73.54, while still meeting 10 CFR 73.55(b)(7), 10 CFR 73.56(m) and 10 CFR 73.56(o) requirements. The following information provides guidance for performing an AA analysis to addresses options for securing and protecting AA system data confidentiality, integrity, and availability.

1) Option 1 - AA digital assets reside on lower security levels (e.g., levels not protected by a deterministic one-way device) and are documented as CDAs.

In this option, licensees would classify the AA digital assets as CDAs and in order to demonstrate adequate protection, licensees can take credit for (1) cyber security measures implemented under their corporate ITs cyber security program; (2) cyber security measures implemented under existing programs; and (3) alternative measures that comply with Section 3.1.6 of the CSP. At a minimum, licensees would have to address:

D1.16: Open/Insecure Protocol Restrictions

D1.22: Use of External Systems

D3.6: Transmission Integrity

D3.7: Transmission Confidentiality

D3.9: Cryptographic Key Establishment and Management

D3.10: Unauthorized Remote Activation of Services

D3.11: Transmission of Security Parameters

D3.12: Public Key Infrastructure Certificates

D3.19: Confidentiality of Information at Rest

D4.1: Identification and Authentication Policies and Procedures

D4.2: User Identification and Authentication 12

NEI 13-10 (Revision 7)

October 2021

2) Option 2 - AA digital assets reside on higher security levels (e.g., levels protected by a deterministic one-way device) and are documented as CDAs.

AA assets classified as CDAs under this option must be protected in a manner compliant with a licensees Cyber Security Plan.

3) Option 3 - Alternate Method: AA digital assets used for AA functions not identified as CDAs, but changes to these digital assets are analyzed and documented per licensee procedures/policies.

Licensees can comply with 10 CFR 73.54(b)(1), by addressing the 10 CFR 73.56(m),

and 10 CFR 73.56(o) requirements and implementing one of the following alternatives:

a. Using only validated printed AA records. Use of this option requires that AA records with personal information be physically secured and access to those records must be limited to authorized personnel only.

b. Use a combination of printed and/or secured digital AA records to store and transmit AA records. Use of this option requires a combination of manual data confidentiality and integrity verification checks and cyber security controls to protect and secure AA data confidentiality and integrity.

The following provides additional guidance for these two alternatives.

1. AA System Printed Record Controls:

Licensees would use only printed documents or copies to store and transmit AA data. In these situations, the analysis required by 10 CFR 73.54 would determine the AA digital assets are not CDAs. The use of printed documents ensures the confidentiality, integrity, and availability of data used to perform AA functions (e.g., entering data into the PSCS and access determinations). Documents should be printed in a timely manner to ensure records are not altered between the time verification takes place and when the individuals access is processed. While the AA digital assets are not classified as CDAs, licensees should document in their analysis how the 10 CFR 73.56(m) and 10 CFR 73.56(o) requirements are being addressed on these AA Assets.

Option 3 Examples (a) Manual Method

Request for access is submitted, the request becomes a source document.

A Personal History Questionnaire (PHQ) is sent to the applicant, who returns the PHQ to the utility.

The PHQ is verified to match the request data and printed.

True Identity verification of the applicant during the completion of elements. UAA granted after validating completion of elements in source document.

True Identity verification prior to badging with the printed source documents.

Badge data is sent to Security.

13

NEI 13-10 (Revision 7)

October 2021

Security validates information with Reviewing Official prior to activating UA.

UA information validation requires concurrence prior to activation in Physical Security Computer System.

2. AA System Printed and Digital Records Controls:

Licensees may use a combination of printed records along with existing digital assets on their administrative (lower security levels) network or stand-alone network to store and transmit AA data. In these situations, the 10 CFR 73.54 analysis would determine that these digital assets are not CDAs because the digital assets, if compromised, would not result in modified information being entered into the PSCS. Licensees must analyze and document changes to AA digital assets, including changes to the cyber security controls applied to them. The analysis should also document how the 10 CFR 73.56(m) and 10 CFR 73.56(o) requirements are being addressed. Using configuration management processes, licensees must evaluate future changes made to the AA digital assets to ensure that those assets can continue to provide their protected AA function per licensee procedures/policies. The cyber security controls and manual data verification steps in the process ensure the confidentiality, integrity, and availability of data by addressing the subset of controls outlined in the Example 3 Options below, and performing a secondary verification on the subset of data that is input into the PSCS prior to it being used in the AA function (e.g., manual verification of AA system data prior to its entry into the PSCS, UA/UAA). In these situations, the 10 CFR 73.54 analysis would determine that these digital assets are not CDAs because the digital assets, if compromised, would not result in modified information being used to perform access authorization system functions. The following examples provide guidance on acceptable implementation of this option:

Example 3.b.1 (Manual and Digital Method: Stand-Alone/Non-Internet Connected Computer)

Request for access is submitted, the request becomes a source document or secured offline file.

A PHQ is sent to the applicant, who returns the PHQ to the utility.

The PHQ is verified to match the request data.

All AA data and information are manually transferred to, with appropriate cyber security controls, and stored on a stand-alone or non-internet connected computer.

The process must be analyzed and protected by addressing, at a minimum, the following cyber security controls:

o D1.16: Open/Insecure Protocol Restrictions o D1.22: Use of External Systems o D3.6: Transmission Integrity o D3.7: Transmission Confidentiality o D3.9: Cryptographic Key Establishment and Management o D3.10: Unauthorized Remote Activation of Services o D3.11: Transmission of Security Parameters o D3.12: Public Key Infrastructure Certificates o D3.19: Confidentiality of Information at Rest 14

NEI 13-10 (Revision 7)

October 2021 o D4.1: Identification and Authentication Policies and Procedures o D4.2: User Identification and Authentication

True Identity verification during the completion of elements. UAA granted after validating completion of elements in source document or secured offline file.

True Identity verification prior to badging.

Badge data is verified against previously provided digital records.

Security validates information with Reviewing Official prior to activating UA.

UA information validation requires concurrence prior to activation in Physical Security Computer System.

Example 3.b.2 (Manual and Digital Method: Systems Residing on Lower Security Levels with AA data Secured)

Request for access is submitted, the request becomes a source document or digitally secured source file using cryptographical technologies that ensure data integrity.

A PHQ is sent to the applicant, who returns the PHQ to the utility.

The PHQ is verified to match the request data.

All AA data and information are protected on the computer systems residing on lower security levels, addressing appropriate cyber security controls.

The process must be analyzed and protected by addressing, at a minimum, the following cyber security controls:

o D1.16: Open/Insecure Protocol Restrictions o D1.22: Use of External Systems o D3.6: Transmission Integrity o D3.7: Transmission Confidentiality o D3.9: Cryptographic Key Establishment and Management o D3.10: Unauthorized Remote Activation of Services o D3.11: Transmission of Security Parameters o D3.12: Public Key Infrastructure Certificates o D3.19: Confidentiality of Information at Rest o D4.1: Identification and Authentication Policies and Procedures o D4.2: User Identification and Authentication

True Identity verification during the completion of elements. UAA granted after validating completion of elements in source document.

True Identity verification prior to badging.

Badge data verified against previously provided digital records.

Security validates information with Reviewing Official prior to activating UA.

UA information validation requires concurrence prior to activation in Physical Security Computer System.

Example 3.b.3 (Manual and Digital Method: Systems Residing on Lower Security Levels with AA Data Transferred to Systems Residing on Higher Security Levels) 15

NEI 13-10 (Revision 7)

October 2021

Request for access is submitted, the request becomes a source document.

A PHQ is sent to the applicant, who returns the PHQ to the utility.

The PHQ is verified to match the request data.

All AA data and information are transferred using appropriate cyber security protocols from the computer systems residing on lower security levels, to the computer systems residing on higher security levels (CDAs).

The process must be analyzed and protected by addressing, at a minimum, the following cyber security controls:

o D1.16: Open/Insecure Protocol Restrictions o D1.22: Use of External Systems o D3.6: Transmission Integrity o D3.7: Transmission Confidentiality o D3.9: Cryptographic Key Establishment and Management o D3.10: Unauthorized Remote Activation of Services o D3.11: Transmission of Security Parameters o D3.12: Public Key Infrastructure Certificates o D3.19: Confidentiality of Information at Rest o D4.1: Identification and Authentication Policies and Procedures o D4.2: User Identification and Authentication

True Identity verification during the completion of elements. UAA granted after validating completion of elements in source document.

True Identity verification prior to badging.

Badge data verified against previously provided digital records.

Security validates information with Reviewing Official prior to activating UA.

UA information validation requires concurrence prior to activation in Physical Security Computer System.

When the process and one of the examples above are implemented, 10 CFR 73.55 (b)(3),

10 CFR 73.55(b)(7), and 10 CFR 73.56(m) and 10 CFR 73.56(o) requirements, as they relate to cyber security, are addressed by the following:

10 CFR 73.56(m) Protection of information requirements are addressed by the licensees process for securing printed personnel files along with their process for granting, controlling and revoking access to AA information systems. Both processes establish and maintain a system of files and procedures to ensure personal information is not disclosed to unauthorized persons.

10 CFR 73.56(o) Records requirements are addressed by the processes for preventing unauthorized access to the records and the secondary verification steps used to verify AA data integrity prior to it being entered into the Plant Security Computer System (PSCS).

These processes outlined in the examples prevent the alteration of any archived data once it has been committed to storage to being advanced in the process and entered into the 16

NEI 13-10 (Revision 7)

October 2021 PSCS.

Collectively the actions documented above ensure the confidentiality, integrity, and availability of data used to perform AA functions (e.g., grant UA/UAA) and the subset of data that is input into the PSCS.

17

NEI 13-10 (Revision 7)

October 2021 Appendix A. FIGURE 1 Consequence Assessment Figure 1 illustrates the guidance in Sections 3 and 4 of this document.

A-1

NEI 13-10 (Revision 7)

October 2021

[BLANK PAGE]

A-2

NEI 13-10 (Revision 7)

October 2021 Figure 2 - Alternate Means Assessment for EP

[DELETED]

A-3

NEI 13-10 (Revision 7)

October 2021

[BLANK PAGE]

A-4

NEI 13-10 (Revision 7)

October 2021 Appendix B. TEMPLATE Appendix B provides an example implementing template consistent with the guidance.

B-1

NEI 13-10 (Revision 7)

October 2021

[BLANK PAGE]

B-2

NEI 13-10 (Revision 7)

October 2021 CDA IMPACT ASSESSMENT FORM CDA Identification:

CDA Number: CDA

Description:

Additional CDA Numbers, IF performing assessment of grouped CDAs. Ensure you have documented criteria and technical basis for grouping CDAs:

Emergency Planning (EP) Consequence Assessment: (Step 1.0)

[EP Scoping Criteria for Critical Digital Asset Determination Moved to NEI 10-04]

Consequence Assessment (Reference Section 3 and Appendix A, Figure 1 - Consequence Assessment) 1.0 The EP scoping analysis steps are now contained in NEI 10-04, Appendix C. This analysis covers YES NO the questions in Block 3.1 and the EP Blocks to the right of Block 3.1 in the figure in Appendix A of this document. If the NEI 10-04 EP scoping analysis determines the EP digital asset should be a CDA, proceed to Step 2.0 of this assessment form.

Balance of Plant (BOP) CDA Consequence Assessment: (Steps 2.0 to 2.1) 2.0 Figure 1, Box 3.2 Is the CDA a BOP CDA as described in Section 3.2? Document the YES NO CDAs function and the basis for YES or NO answer as to why the CDA will cause generated megawatts to reduce to zero within 15 minutes or less.

Note: BOP CDAs include only those CDAs where added to program to meet FERC Order 706-B. Refer to section 3.2 of NEI 13-10 for criteria.

IF YES, THEN proceed to Step 2.1 IF NO, THEN proceed to Step 3.0 B-3

NEI 13-10 (Revision 7)

October 2021 2.1 Figure 1, Box 3.2a Is the CDA a BOP-Scram/Trip CDA as described in Section 3.2? YES NO Document why the CDA meets the BOP-Scram/Trip Criteria in Section 3.2.

If YES Proceed to Step 3.2 If NO End Assessment Here Indirect CDA Consequence Assessment: (Steps 3.0 to 3.2) 3.0 Figure 1, Box 3.3 Is the CDA an indirect CDA as described in Section 3.3? Document YES NO the CDAs function and the basis for YES or NO answer.

Note: Indirect CDAs include only those CDAs that meet all three of the following criteria:

1. If compromised, would not have a near-term adverse impact on Safety, or Security functions.

2. Are not indicators/annunciators solely relied-on for making Safety, or Security decisions.

3. The compromise of which can be detected, and compensatory measures taken, prior to an adverse impact to direct CDAs or Safety, or Security functions. Provide analysis including the following to show the compromise can be detected and mitigated prior to adverse.

IF YES, THEN proceed to Step 3.1 IF NO, THEN proceed to Step 4.0 Figure 1, Box 3.3a Adverse Impact Mitigated - Has the licensee 3.1 YES NO determined, documented, and implemented the following:

Determine and document the time period required, once an indirect CDA has been compromised, for both

a. detection and compensatory measures to take place prior to an adverse impact to Safety, and Security functions. The time period required may be based on existing analyses.:

Document a method, and associated implementing procedures, for the detection of an indirect CDA b.

compromise and/or failure within the minimum time period.

Document implementation strategies for compensatory measures to eliminate the adverse impact to direct c.

CDAs or Safety-Related, Important-to-Safety or Security functions in all operating modes.

B-4

NEI 13-10 (Revision 7)

October 2021 Document the technical justification for how the detection activities and compensatory measures (i.e., Steps b

d. and c above) for indirect CDA compromise and/or failure are sufficient and will occur within the minimum time period determined by the licensee in Step a.

IF YES, THEN proceed to Step 3.2 IF NO, THEN proceed to Step 4.0 Figure 1, Box 5 Are the baseline Cyber Security protections described in Section 5 of 3.2 YES NO NEI 13-10 in place for the CDA? Ensure each of the following baseline criteria are met.

a. Document that the CDA, as identified using the analysis set forth in Section 3.1 or 3.2 of this document, is located within a Protected or Vital Area or the cyber security controls in NEI 08-09, Appendix E, Section E.5 Physical and Operational Environment Protection, are addressed.

b. The CDA and any interconnected assets do not have wireless internetworking communications technologies.

Document how wireless networking is addressed for the CDA.

c. The CDA and any interconnected assets are either air-gapped or isolated by a deterministic isolation device. In order to properly fulfill their SSEP function, some indirect CDAs are excluded from the requirement to be air-gapped or isolated by a deterministic isolation device. These CDAs include:

1. Communication systems such as a PBX, Radio systems, or other devices whose SSEP function requires external communication. These communication systems and networks must not provide an attack pathway to isolated devices, systems, or networks.

2. Log aggregation and event correlation servers which reside outside the deterministic isolation device or which reside on the corporate business networks to fulfill the site wide aggregation, monitoring, and alerting functions.

d. Document how portable media and mobile devices are controlled according to NEI 08-09 D.1.19 in order to ensure the CDA will not be compromised as a result of the use of portable media and mobile devices.

B-5

NEI 13-10 (Revision 7)

October 2021

e. Document how changes to the CDA are evaluated and documented before implementation to ensure the following:

1. Baseline security criteria remain in place and effective.

2. No new pathways or vulnerabilities have been created.

3. No change to CDA would now make it Direct.

4. Threat and vulnerability notifications received from credible sources are screened, evaluated, mitigated and dispositioned in accordance with the CSP.

f. Document how the CDA, or the interconnected equipment that would be affected by the compromise of the non-Direct CDA, is periodically checked to ensure the equipment is capable of performing its intended function. These checks could include any routine check performed to determine the functional or operational availability of the equipment. The periodicity of checks must be sufficient to ensure detection and mitigation of cyber attacks prior to an adverse impact to SSEP functions resulting from cyber attacks. Document the actions taken to periodically ensure equipment is capable of performing its intended function.

g. Document how ongoing Monitoring and Assessment is performed to ensure the security posture of the CDA is maintained by verifying that baseline security criteria remain in place.

If The current Cyber Security controls are adequate to meet the Cyber Security Plan, Section 3.1.6.

YES END ASSESSMENT HERE.

Remediate to meet the baseline Cyber Security protection criteria described in Section 5 OR proceed to step If NO 4.0 This is a Direct CDA. Address cyber security controls in accordance with Section 3.1.6 of the licensees 4.0 Cyber Security Plan.

Outstanding Action Tracking: YES NO Note: Insert here any outstanding actions required to satisfactorily complete this assessment.

B-6

NEI 13-10 (Revision 7)

October 2021 CYBER SECURITY ASSESSMENT TEAM APPROVAL Initiator:

Name (Signature)

Reviewer:

Name (Signature)

Other Review (as applicable):

Name (Signature)

Final Approval:

Name (Signature)

B-7

NEI 13-10 (Revision 7)

October 2021

[BLANK PAGE]

B-8

NEI 13-10 (Revision 7)

October 2021 Appendix C. EXAMPLES

[DELETED]

C-1

NEI 13-10 (Revision 7)

October 2021 Appendix D. DIRECT CDA CLASSES AND ASSESSMENTS Appendix D provides a class description and a corresponding cyber security control assessment table for the class. See Section 6 of this document for further information.

D-1

NEI 13-10 (Revision 7)

October 2021

[BLANK PAGE]

D-2

NEI 13-10 (Revision 7)

October 2021 Class A.1 CDA (Low-Functionality, Direct Impact)

Software Attributes of Class A.1 CDAs:

Program code (e.g. instruction-level code) cannot be altered and does not utilize or support operating system or application software

Changes to operational parameters or operational settings can only be implemented using maintenance and test equipment

Configuration changes can only be implemented by taking the device out of service

Device does not support any sort of event logging

Device does not support application or 3rd party software Hardware Attributes of Class A.1 CDAs:

Device includes PROM, RAM, EEPROM and possibly integrated components (e.g. FPGA) with factory-configurable firmware and functionality

Device has no remote or local, integral HMI (but may have local display-only indicators)

Device has no communications hardware/software but may have interfaces to external devices/systems using analog/contact/pulse I/O signals

Device has no peripherals, interfaces or ports (e.g. media access, serial, etc.)

Location of Class A.1 CDAs:

Protected Area (PA) or Vital Area (VA)

Information Classification for Class A.1 CDAs:

CDA contains plant process data not classified as security-related or Safeguards Information (SGI)

Examples of Class A.1 CDAs:

Love Controls Series SC1290 KNS Perfecta Model: VPI- Rosemount 3153N digital

& SC1490 Thermocouple 3EAN unit transmitters Limit/Alarm Switch Module D-3

NEI 13-10 (Revision 7)

October 2021

[BLANK PAGE]

D-4

NEI 13-10 (Revision 7)

October 2021 Class A.1 CDA (Low-Functionality, Direct Impact) Cyber Security Control Assessment Table A.1 Apply to CDA Not Applicable Common Alternate Control Number Control Basis D1.1 Access Control Policy X X The Access Control Policy and Procedures control is a common control and Procedures applicable to the licensee organization. Its requirements should be applied (D1.1) to CDAs based upon defined and documented access control policies and procedures.

D1.2 Account Management X Class A.1 devices have no interface through which a user can gain access (D1.2) and program code (e.g., instruction-level code, configuration, settings) in the CDAs cannot be altered. Therefore, an attack vector associated with this control does not exist and this cyber security control is not applicable.

D1.3 Access Enforcement X Class A.1 devices have no interface through which a user can gain access (D1.3) and program code (e.g., instruction-level code, configuration, settings) in the CDAs cannot be altered. Therefore, an attack vector associated with this control does not exist and this cyber security control is not applicable.

D1.4 Information Flow X Class A.1 devices do not have any communications hardware/software, Enforcement (D1.4) peripherals, interfaces, or ports (e.g., media access, serial). Therefore, an attack vector associated with this control does not exist and this cyber security control is not applicable.

D1.5 Separation of X Class A.1 devices have no interface through which a user can gain access Functions (D1.5) and program code (e.g., instruction-level code, configuration, settings) in the CDAs cannot be altered. Therefore, an attack vector associated with this control does not exist and this cyber security control is not applicable.

D-5

NEI 13-10 (Revision 7)

October 2021 Apply to CDA Not Applicable Common Alternate Control Number Control Basis D1.6 Least Privilege (D1.6) X Class A.1 devices have no interface through which a user can gain access and program code (e.g., instruction-level code, configuration, settings) in the CDAs cannot be altered. Therefore, an attack vector associated with this control does not exist and this cyber security control is not applicable.

D1.7 Unsuccessful Login X Class A.1 devices have no interface through which a user can gain access Attempts (D1.7) and program code (e.g., instruction-level code, configuration, settings) in the CDAs cannot be altered. Therefore, an attack vector associated with this control does not exist and this cyber security control is not applicable.

D1.8 System Use X Class A.1 devices have no interface through which a user can gain access Notification (D1.8) and program code (e.g., instruction-level code, configuration, settings) in the CDAs cannot be altered. Therefore, an attack vector associated with this control does not exist and this cyber security control is not applicable.

D1.9 Previous Logon X Class A.1 devices have no interface through which a user can gain access Notification (D1.9) and program code (e.g., instruction-level code, configuration, settings) in the CDAs cannot be altered. Therefore, an attack vector associated with this control does not exist and this cyber security control is not applicable.

D1.10 Session Lock (D1.10) X Class A.1 devices have no interface through which a user can gain access and program code (e.g., instruction-level code, configuration, settings) in the CDAs cannot be altered. Therefore, an attack vector associated with this control does not exist and this cyber security control is not applicable D1.11 Supervision and X Class A.1 devices have no interface through which a user can gain access Review - Access and program code (e.g., instruction-level code, configuration, settings) in Control (D1.11) the CDAs cannot be altered. Therefore, an attack vector associated with this control does not exist and this cyber security control is not applicable.

D1.12 Permitted Actions X Class A.1 devices have no interface through which a user can gain access Without Identification and program code (e.g., instruction-level code, configuration, settings) in and Authentication the CDAs cannot be altered. Therefore, this control is not applicable.

(D1.12)

D-6

NEI 13-10 (Revision 7)

October 2021 Apply to CDA Not Applicable Common Alternate Control Number Control Basis D1.13 Automated Marking X Class A.1 devices do not have the capability to generate any form of (D1.13) output. Class A.1 devices that do provide output only generates plant process data output that does not contain security-related information (SRI) or SGI. Since SRI and SGI are not present, this control is not applicable.

D1.14 Automated Labeling X Class A.1 devices do not have the capability to generate any form of (D1.14) output. Class A.1 devices that do provide output only generates plant process data output that does not contain security-related information (SRI) or SGI. Since SRI and SGI are not present, this control is not applicable.

D1.15 Network Access X Class A.1 devices do not have any communications hardware/software as Control (D1.15) described in the Class A.1 description. Therefore, the attack vector associated with this control does not exist and this cyber security control is not applicable.

D1.16 Open/Insecure X Class A.1 devices do not have any communications hardware/software as Protocol Restrictions described in the Class A.1 description. Therefore, the attack vector (D1.16) associated with this control does not exist and this cyber security control is not applicable.

D1.17 Wireless Access X Class A.1 devices do not have any communications (including wireless)

Restrictions (D1.17) hardware/software as described in the Class A.1 description. Therefore, the attack vector associated with this control does not exist and this cyber security control is not applicable Note: This control also requires periodic scans for unauthorized wireless devices and rogue access points on plant LANs. Even though this control is not applicable directly to class A.1 CDAs, the additional requirement for periodic scans still applies to the plants defensive architecture.

D1.18 Insecure and Rogue X Class A.1 devices do not have any communications hardware/software as Connections (D1.18) described in the Class A.1 description. Therefore, the attack vector associated with this control does not exist and this cyber security control is not applicable.

D-7

NEI 13-10 (Revision 7)

October 2021 Apply to CDA Not Applicable Common Alternate Control Number Control Basis D1.19 Access Control for X Class A.1 devices do not have any peripherals, interfaces, or ports (e.g.,

Portable and Mobile media access, serial). The CDA cannot be impacted by any portable Devices (D1.19) devices/media. Therefore, an attack vector associated with this control does not exist and this cyber security control is not applicable. .

D1.20 Proprietary Protocol X Class A.1 devices do not have any communications hardware/software as Visibility (D1.20) described in the Class A.1 description. Therefore, an attack vector associated with this control does not exist and this cyber security control is not applicable.

D1.21 Third Party Products X These CDAs by definition do not support installation of third-party and Controls (D1.21) software; therefore, this control is not applicable.

D1.22 Use of External X Class A.1 devices do not have any communications hardware/software as Systems (D1.22) described in the Class A.1 description. Therefore, an attack vector associated with this control does not exist and this cyber security control is not applicable.

D1.23 Public Access Access X A Class A.1 CDA by definition does not contain any SGI or SRI Protections (D1.23) information, and thus the attack vector addressed by this control does not exist and the control is not required.

D2.1 Audit and X X The Audit and Accountability Policy and Procedures control is a common Accountability Policy control applicable to the licensee organization. Its requirements should be and Procedures applied to CDAs based upon defined and documented auditing and (D2.1) accountability policies and procedures.

D2.2 Auditable Events X Class A.1 devices have no interface through which a user can gain access (D2.2) and change program code (e.g., instruction-level code, configuration, or settings), settings, or configuration of the CDA. Therefore, an attack vector associated with this control does not exist and this cyber security control is not applicable.

D-8

NEI 13-10 (Revision 7)

October 2021 Apply to CDA Not Applicable Common Alternate Control Number Control Basis D2.3 Content of Audit X Class A.1 devices have no interface through which a user can gain access Records (D2.3) and change program code (e.g., instruction-level code, configuration, or settings), settings, or configuration of the CDA. Therefore, an attack vector associated with this control does not exist and this cyber security control is not applicable.

D2.4 Audit Storage X Class A.1 devices have no interface through which a user can gain access Capacity (D2.4) and change program code (e.g., instruction-level code, configuration, or settings), settings, or configuration of the CDA. Therefore, an attack vector associated with this control does not exist and this cyber security control is not applicable.

D2.5 Response to Audit X Class A.1 devices have no interface through which a user can gain access Processing Failures and change program code (e.g., instruction-level code, configuration, or (D2.5) settings), settings, or configuration of the CDA. Therefore, an attack vector associated with this control does not exist and this cyber security control is not applicable.

D2.6 Audit Review, X Class A.1 devices have no interface through which a user can gain access Analysts and and change program code (e.g., instruction-level code, configuration, or Reporting (D2.6) settings), settings, or configuration of the CDA. Therefore, an attack vector associated with this control does not exist and this cyber security control is not applicable.

D2.7 Audit Reduction and X Class A.1 devices have no interface through which a user can gain access Report Generation and change program code (e.g., instruction-level code, configuration, or (D2.7) settings), settings, or configuration of the CDA. Therefore, an attack vector associated with this control does not exist and this cyber security control is not applicable.

D2.8 Time Stamps (D2.8) X Class A.1 devices have no interface through which a user can gain access and change program code (e.g., instruction-level code, configuration, or settings), settings, or configuration of the CDA. Therefore, an attack vector associated with this control does not exist and this cyber security control is not applicable.

D-9

NEI 13-10 (Revision 7)

October 2021 Apply to CDA Not Applicable Common Alternate Control Number Control Basis D2.9 Protection of Audit X Class A.1 devices have no interface through which a user can gain access Information (D2.9) and change program code (e.g., instruction-level code, configuration, or settings), settings, or configuration of the CDA. Therefore, an attack vector associated with this control does not exist and this cyber security control is not applicable.

D2.10 Non-Repudiation X Class A.1 devices have no interface through which a user can gain access (D2.10) and change program code (e.g., instruction-level code, configuration, or settings), settings, or configuration of the CDA. Therefore, an attack vector associated with this control does not exist and this cyber security control is not applicable.

D2.11 Audit Record X Class A.1 devices have no interface through which a user can gain access Retention (D2.11) and change program code (e.g., instruction-level code, configuration, or settings), settings, or configuration of the CDA. Therefore, an attack vector associated with this control does not exist and this cyber security control is not applicable.

D2.12 Audit Generation X Class A.1 devices have no interface through which a user can gain access (D2.12) and change program code (e.g., instruction-level code, configuration, or settings), settings, or configuration of the CDA. Therefore, an attack vector associated with this control does not exist and this cyber security control is not applicable.

D3.1 CDA, System and X X The CDA, System and Communications Protection Policy and Procedures Communications control is a common control applicable to the licensee organization. Its Protection Policy and requirements should be applied to CDAs based upon defined and Procedures (D3.1) documented system and communication protection policies and procedures.

D3.2 Application X Class A.1 CDAs have no operating system and only support program Partitioning/Security functions defined by the manufacturer, and their program code and Function Isolation configuration cannot be altered. Thus, the attack vector associated with this (D3.2) control does not exist and therefore this security control is not applicable.

D-10

NEI 13-10 (Revision 7)

October 2021 Apply to CDA Not Applicable Common Alternate Control Number Control Basis D3.3 Shared Resources X Class A.1 CDAs have no operating system and only support program (D3.3) functions defined by the manufacturer, and their program code and configuration cannot be altered. Thus, the attack vector associated with this control does not exist and this security control is not applicable.

D3.4 Denial of Service X Class A.1 CDAs have no operating system, communication capabilities, Protection (D3.4) and only support program functions defined by the manufacturer, and their program code and configuration cannot be altered. Thus, the attack vector associated with this control does not exist and therefore the control, or alternative countermeasure, is not applicable.

D3.5 Resource Priority X Class A.1 CDAs have no multi-tasking operating system and only support (D3.5) program functions defined by the manufacturer, and their program code and configuration cannot be altered. Thus, the attack vector associated with this control does not exist and this security control is not applicable.

D3.6 Transmission X Class A.1 devices do not have any communications hardware/software as Integrity (D3.6) described in the Class A.1 description. The signals transmitted by these CDAs do not adverse impact the SSEP functions or other CDAs. Thus, the attack vector associated with this control does not exist and this security control is not applicable.

D3.7 Transmission X Class A.1 devices do not have any communications Confidentiality (D3.7) hardware/software as described in the Class A.1 description. Any external connections are adequately protected against tampering. Thus, the attack vector associated with this control does not exist and the security control is not applicable.

D3.8 Trusted Path (D3.8) X Class A.1 devices have no interface through which a user can gain access and program code (e.g., instruction-level code, configuration, settings) and configuration in the CDAs cannot be altered Additionally Class A.1 devices do not have any communications hardware/software as described in the Class A.1 description. Therefore, this cyber security control is not applicable.

D-11

NEI 13-10 (Revision 7)

October 2021 Apply to CDA Not Applicable Common Alternate Control Number Control Basis D3.9 Cryptographic Key X Class A.1 devices do not have any communications hardware/software as Establishment and described in the Class A.1 description, do not use cryptography and do not Management (D3.9) contain SRI or SGI information. Therefore, the attack vector associated with this control does not exist and this cyber security control is not applicable D3.10 Unauthorized Remote X Class A.1 devices have no interface through which a user can gain access Activation of Services and Class A.1 devices do not have any communications hardware/software.

(D3.10) Therefore, attack vectors associated with this security control do not exist and this control is not applicable.

D3.11 Transmission of X Class A.1 devices do not have any communications hardware/software as Security Parameters described in the Class A.1 description and does not transmit or receive any (D3.11) security parameters. Therefore, the attack vector associated with this control does not exist and this cyber security control is not applicable.

D3.12 Public Key X Class A.1 devices do not have any communications hardware/software as Infrastructure described in the Class A.1 description, do not use cryptography, and do not Certificates (D3.12) contain SRI or SGI information. Therefore, the attack vector associated with this control does not exist and this cyber security control is not applicable.

D3.13 Mobile Code (D3.13) X Class A.1 devices do not use or support operating system, third-party, or application software and do not support mobile code. In addition, CDAs do not support any communications hardware/software or any peripherals, interfaces, or ports (e.g., media access, serial). Therefore, this cyber security control is not applicable.

D3.14 Secure Name/Address X Class A.1 devices have no interface through which a user can gain access Resolution Service and Class A.1 devices do not have any communications hardware/software.

(Authoritative/Trusted Therefore, attack vectors associated with this security control do not exist Source) (D3.14) and this control is not applicable.

D-12

NEI 13-10 (Revision 7)

October 2021 Apply to CDA Not Applicable Common Alternate Control Number Control Basis D3.15 Secure Name/Address X Class A.1 devices have no interface through which a user can gain access Resolution Service and Class A.1 devices do not have any communications hardware/software.

(Recursive or Caching Therefore, attack vectors associated with this security control do not exist Resolver) (D3.15) and this control is not applicable.

D3.16 Architecture and X Class A.1 devices have no interface through which a user can gain access Provisioning for and Class A.1 devices do not have any communications hardware/software.

Name/Address Therefore, attack vectors associated with this security control do not exist Resolution Service and this control is not applicable.

(D3.16)

NOTE: Although Class A.1 CDAs do not use DNS services if any other class of CDAs do require that support then this control would be applicable to the plants defensive architecture and DNS servers.

D3.17 Session Authenticity X Class A.1 devices have no interface through which a user can gain access (D3.17) and program code (e.g., instruction-level code, configuration, settings) in the CDAs cannot be altered. Additionally, CDAs do not use or support operating systems or application software. Therefore, an attack vector associated with this control does not exist and this cyber security control is not applicable.

D3.18 Thin Nodes (D3.18) X Class A.1 CDAs do not support communication hardware/software and so cannot be incorporated into a centralized-architecture system design.

Also, these CDAs have no interface through which a user can gain access and program code (e.g., instruction-level code, configuration, settings) in the CDAs cannot be altered. Therefore, an attack vector associated with this control does not exist and this cyber security control is not applicable.

D3.19 Confidentiality of X Class A.1 CDAs do not contain, process, or store security-related Information at Rest information (SRI) or SGI. Since SRI or SGI are not contained, stored, or (D3.19) processed on the device, this control is not applicable.

D-13

NEI 13-10 (Revision 7)

October 2021 Apply to CDA Not Applicable Common Alternate Control Number Control Basis D3.20 Heterogeneity X X This security control can be commonly addressed by the plant by inheriting (D3.20) the protection provided by the licensees program to address common mode failure issues associated with safety and security systems.

D3.21 Fail in Known (Safe) X The engineering process ensures and documents that components fail in a State (D3.21) state that is bounded with the design basis of the plant.

D4.1 Identification and X X The Identification and Authentication Policies and Procedures control is a Authentication common control applicable to the licensee organization. Its requirements Policies and should be applied to CDAs based upon defined and documented Procedures (D4.1) identification and authentication policies and procedures.

D4.2 User Identification X Class A.1 devices have no interface through which a user can gain access and Authentication and program code (e.g., instruction-level code, configuration, settings) in (D4.2) the CDAs cannot be altered. Therefore, the attack vector associated with this control does not exist and this cyber security control is not applicable.

D4.3 Password X Class A.1 devices have no interface through which a user can gain access Requirements (D4.3) and program code (e.g., instruction-level code, configuration, settings) in the CDAs cannot be altered. Therefore, the attack vector associated with this control does not exist and this cyber security control is not applicable.

D4.4 Non-Authenticated X Class A.1 devices have no interface through which a user can gain access Human Machine and program code (e.g., instruction-level code, configuration, settings) in Interaction (HMI) the CDAs cannot be altered. Therefore, the attack vector associated with Security (D4.4) this control does not exist and this cyber security control is not applicable.

D4.5 Device Identification X Class A.1 devices have no interface through which a user can gain access and Authentication and program code (e.g., instruction-level code, configuration, settings) in (D4.4) the CDAs cannot be altered, and do not have any communications hardware/software/ports/media access. Therefore, an attack vector associated with this control does not exist and this cyber security control is not applicable.

D-14

NEI 13-10 (Revision 7)

October 2021 Apply to CDA Not Applicable Common Alternate Control Number Control Basis D4.6 Identifier X Class A.1 devices have no interface through which a user can gain access Management (D4.6) and program code (e.g., instruction-level code, configuration, settings) in the CDAs cannot be altered and do not have any communications hardware/software/ports/media access. Therefore, an attack vector associated with this control does not exist and this cyber security control is not applicable.

D4.7 Authenticator X Class A.1 devices have no interface through which a user can gain access Management (D4.7) and program code (e.g., instruction-level code, configuration, settings) in the CDAs cannot be altered, and do not have any communications hardware/software/ports/media access. Therefore, an attack vector associated with this control does not exist and this cyber security control is not applicable.

D4.8 Authenticator X Class A.1 devices have no interface through which a user can gain access Feedback (D4.8) and program code (e.g., instruction-level code, configuration, settings) in the CDAs cannot be altered, and do not have any communications hardware/software/ports/media access. Therefore, an attack vector associated with this control does not exist and this cyber security control is not applicable.

D4.9 Cryptographic X Class A.1 devices do not use cryptography, therefore attack vectors Module associated with this security control do not exist and this control is not Authentication (D4.9) applicable.

D5.1 Removal of X Class A.1 CDAs have no operating systems or communication capabilities, Unnecessary Services only support program functions defined by the manufacturer, their program and Programs (D5.1) code and configuration cannot be altered, and do not have any unnecessary services or programs. Thus, an attack vector associated with this control does not exist and therefore the control is not applicable.

D-15

NEI 13-10 (Revision 7)

October 2021 Apply to CDA Not Applicable Common Alternate Control Number Control Basis D5.2 Host Intrusion X Class A.1 devices have no interface through which a user can gain access Detection System and program code (e.g., instruction-level code, configuration, settings) and (HIDS) (D5.2) configuration of the CDAs cannot be altered. The CDA cannot be impacted by any portable devices/media. Therefore, attack vectors associated with this security control do not exist and this control is not applicable.

D5.3 Changes to File X Class A.1 devices have no interface through which a user can gain access System and Operating and have no alterable software/code/settings. Additionally, Class A.1 System Permissions devices do not use or support operating system or application software and (D5.3) do not support application or third-party software. Therefore, attack vectors associated with this security control do not exist and this control is not applicable.

D5.4 Hardware X Class A.1 devices do not have peripherals, interfaces, or media access Configuration (D5.4) ports. Class A.1 device hardware is dedicated to a single plant process function and its hardware cannot be altered. Therefore, the attack vectors associated with this security control do not exist and the security control is not applicable.

D5.5 Installing Operating X Class A.1 devices have no interface through which a user can gain access Systems, and have no alterable software/code/settings. Therefore, attack vectors Applications, and associated with this security control do not exist and this control is not Third-Party Software applicable.

Updates (D5.5)

E3.3 Malicious Code X Class A.1 devices have no interface through which a user can gain access Protection (E3.3) and have no alterable software/code/settings. The CDA cannot be impacted by any portable devices/media. Thus, the attack vector associated with this control does not exist and this security control is not applicable.

E3.4 Monitoring Tools and X Class A.1 devices have no interface through which a user can gain access Techniques (E3.4) and have no alterable software/code/settings. The CDA cannot be impacted by any portable devices/media. Thus, the attack vector associated with this control does not exist and this security control is not applicable.

D-16

NEI 13-10 (Revision 7)

October 2021 Apply to CDA Not Applicable Common Alternate Control Number Control Basis E3.7 Software and X Class A.1 devices have no interface through which a user can gain access Information Integrity and have no alterable software/code/settings. The CDA cannot be (E3.7) impacted by any portable devices/media. Thus, the attack vector associated with this control does not exist and this security control is not applicable.

E3.8 Information Input X Class A.1 devices have no interface through which a user can gain access Restrictions (E3.8) and have no alterable software/code/settings. The CDA cannot be impacted by any portable devices/media. Thus, the attack vector associated with this control does not exist and this security control is not applicable.

E3.9 Error Handling (E3.9) X Class A.1 devices have no user interface, cannot generate error messages, and do not contain either SRI or SGI information. Therefore, the attack vector associated with this control does not exist, and the control is not applicable.

D-17

NEI 13-10 (Revision 7)

October 2021

[BLANK PAGE]

D-18

NEI 13-10 (Revision 7)

October 2021 Class A.2 through B.3 Class Descriptions Table A.2 Class A.2 CDAs Class A.3 CDAs Class B.1 CDAs Class B.2 CDAs Class B.3 CDAs Software Attributes Software Attributes Software Attributes Software Attributes Software Attributes

Program code (instruction-level

Program code (instruction-level

Program code (instruction-level

Program code (instruction-level

Program code (instruction-level code) is factory installed by code) is factory installed by code) is factory installed by code) is factory installed by code) is factory installed by manufacturer and cannot be manufacturer and cannot be manufacturer and cannot be manufacturer and cannot be manufacturer, but it may be altered nor can any code be altered nor can any code be altered nor can any code be altered nor can any code be possible to replace this program injected (e.g. no buffer or heap injected (e.g. no buffer or heap injected (e.g. no buffer or heap injected (e.g. no buffer or heap code by doing a firmware update overflow) overflow) overflow) overflow) in the field.

If the CDA supports a USB port (master or slave) it is factory-programmed to support a specific subset of bulk-data/file-exchange methods (e.g., save or reload CDA configuration settings or load new firmware).

The CDA does not support interoperation with any other form of USB object classes or devices or allow automatic/manual installation of third-party drivers for such object classes or devices.

HMI: HMI: HMI (If CDA has HMI): HMI (If CDA has HMI): HMI (If CDA has HMI):

Only operational parameters (no

Operational parameters can be

Operational parameters can be

Operational parameters can be

Operational parameters can be configuration settings) can be changed using the local, integral changed using the local, integral changed using the local, integral changed using the local, integral changed using the local, integral HMI HMI HMI HMI HMI

Configuration settings can be

Configuration settings can be

Configuration settings can be

Configuration settings can be

No configuration changes can be changed using the local, integral changed using the local, integral changed using the local, integral changed using the local, integral made via the integral HMI HMI HMI HMI HMI

The HMI has no access

The HMI has at least one form

The HMI has at least one form

The HMI has at least one form

The HMI has at least one form enforcement mechanisms of software access enforcement of software access enforcement of software access enforcement of software access enforcement D-19

NEI 13-10 (Revision 7)

October 2021 mechanism mechanism mechanism mechanism

Does not support multi-users

Does not support multi-users

Does not support multi-users

Does not support multi-users and individual authentication for and individual authentication for and individual authentication for and individual authentication for those users those users those users those users

Configuration setting changes

Configuration setting changes

Configuration setting changes

Configuration changes can also

Configuration changes can also can only be made using a can also be made using a can also be made using a be made using a maintenance be made using a maintenance maintenance tool and only by maintenance tool and only by maintenance tool and only by tool and only by taking the CDA tool and only by taking the CDA taking the CDA out of service taking the CDA out of service taking the CDA out of service out of service. out of service.

Configuration changes may also be made locally via a console port and/or USB thumb drive/memory card as well as remotely via the asynchronous serial communication channel, but only by taking the CDA out of service

Does not contain an externally

Does not contain an externally

Does not contain an externally

Does not contain an externally

Does not contain an externally accessible file system accessible file system accessible file system accessible file system accessible file system but may support bulk data extraction and configuration loading/saving via the USB/memory card interfaces.

Firmware updates not

Firmware updates not supported

Firmware updates not supported

Firmware updates not supported

CDA supports firmware supported/not possible by the and not possible by the hardware and not possible by the hardware and not possible by the hardware update/replacement with hardware design design design design removal of the CDA from the service and use of special tools and software

Contain vendor software that

Only contains vendors software

Only contains vendors software

Only contains vendors software

Only contains vendors software performs/supports a pre-defined that performs/supports a pre- that performs/supports a pre- that performs/supports a pre- that performs/supports a pre-set of features and functions and defined set of features and defined set of features and defined set of features and defined set of features and supports no ability to add or functions and supports no ability functions and supports no ability functions and supports no ability functions and supports no ability remove software to add or remove software to add or remove software to add or remove software. to add or remove software Communication: Communication: Communication: Communication: Communication:

Contains no communication

Contains no communication

The CDA uses an industrial

The CDA uses an industrial

The CDA uses an industrial software functionality software functionality protocol using poll-response protocol using poll-response protocol using poll-response based message exchanges over based message exchanges over based message exchanges over D-20

NEI 13-10 (Revision 7)

October 2021 an asynchronous serial an asynchronous serial an asynchronous serial communications channel. communications channel. communications channel.

Communication functionality of Communication functionality of Communication functionality of the CDA are limited to the CDA can be adjusted and the CDA can be adjusted and information or data extraction altered by the user and may altered by the user and may and do not support the capability include reading and writing data include reading and writing data for control execution, from and to the CDA to fetch from and to the CDA to fetch manipulation of CDA I/O or values, change/set parameters, values, change/set parameters, sending parameters or data to execution of pre-configured execution of pre-configured the CDA. control functions and control functions and

Communication functions do not manipulation of CDA process manipulation of CDA process allow for modification of the control outputs. control outputs.

configuration of the CDA or for

Communication functions do not

The functionality and making program changes to the allow for modification of the configuration of the CDA can CDA. configuration of the CDA or for also be altered via these making program changes to the communication links using CDA. software tools (possibly vendor-proprietary) specifically designed for that purpose.

The asynchronous communications capability does not support modification of code, instructions, or code injection to the CDA.

CDA does not perform

CDA does not perform

CDA does not perform

CDA does not perform

CDA does not perform audit/event logging of user audit/event logging of user audit/event logging of user audit/event logging of user audit/event logging of user activities or communication activities or communication activities or communication activities or communication activities or communication activities or local runtime events. activities or local runtime activities or local runtime activities or local runtime activities or local runtime events. events. events. events.

The CDA does not suppler a

The CDA does not suppler a

The CDA does not suppler a

The CDA does not suppler a

The CDA has a local, local console port or command local console port or command local console port or command local console port or command special- purpose line interpreter functionality line interpreter functionality line interpreter functionality line interpreter functionality communications interface (a.k.a. a console port),

typically a low-speed, asynchronous, EIA-232 compatible, that is used to enable user interaction with a devices integral command-D-21

NEI 13-10 (Revision 7)

October 2021 line interpreter (e.g., a shell or command prompt) via an ASCII dumb terminal or a computer/program emulating a dumb terminal Hardware Attributes Hardware Attributes Hardware Attributes Hardware Attributes Hardware Attributes

Contain PROM, RAM,

Contain PROM, RAM,

PROM, RAM, EEPROM and

PROM, RAM, EEPROM and

PROM, RAM, EEPROM and EEPROM, and possibly EEPROM, and possibly possibly integrated components possibly integrated components possibly integrated components integrated components (e.g., integrated components (e.g., (e.g., FPGA) that include (e.g., FPGA) that include (e.g., FPGA) that include FPGA) that include factory- FPGA) that include factory- factory-configurable factory-configurable factory-configurable configurable functionality and configurable functionality and functionality and factory- functionality and factory- functionality and factory-factory-configurable factory-configurable configurable firmware. configurable firmware. configurable firmware.

firmware firmware.

May contain bulk storage for data

May contain bulk storage for

May contain bulk storage for

May contain bulk storage for

May contain bulk storage for accumulation purposes but data accumulation purposes but data accumulation purposes but data accumulation purposes but data accumulation purposes and provides no external access to provides no external access to provides no external access to provides no external access to for configuration setting storage that bulk storage that bulk storage that bulk storage that bulk storage and

May support external access to that bulk storage.

HMI: HMI: HMI: HMI: HMI:

Has a minimal-functionality,

Has a minimal-functionality,

Has a minimal-functionality,

Has a minimal-functionality,

Has a minimal-functionality,

Local access only

Local access only

Local access only

Local access only

Local access only

May employ a physical access

May employ a physical access

May employ a physical access

May employ a physical access protection mechanism such as a protection mechanism such as a protection mechanism such as a protection mechanism such as a key or fob key or a fob key or fob key or fob

Contains no communication

Contains no communications

Supports only asynchronous,

Supports only asynchronous,

Supports only asynchronous or hardware other than a hardware other than a low-speed, serial low-speed, serial synchronous, low-speed, serial configuration and maintenance configuration and maintenance communications capability communications capability communications capability port port using either an RS-232, RS-422 using either an RS-232, RS-422 using either an RS-232, RS-422, or RS-485 hardware interface or RS-485 hardware interface or RS-485 or vendor-proprietary (regardless of any subsequent (regardless of any subsequent hardware interface (e.g.

media conversion, e.g. to fiber media conversion, e.g. to fiber Modbus+' or Profibus')

optic cable) optic cable) regardless of any subsequent media conversion (such as to fiber optic cable).

D-22

NEI 13-10 (Revision 7)

October 2021

Contains a maintenance and

Contains a maintenance and

Contains a maintenance and

Contains a maintenance and

Contains a console port and one configuration port but no other configuration port but no other configuration port as well as one configuration port as well as one or more non-Ethernet serial peripherals, interfaces, or ports peripherals, interfaces, or ports or more asynchronous or more asynchronous communication ports communication ports but no communication ports but no (synchronous or asynchronous) other peripherals, interfaces or other peripherals, interfaces or

May support a restricted ports ports. functionality USB port and/or memory card slot for bulk data retrieval and configuration exporting and restoration but no other peripherals, interfaces or ports Note: Note: Note: Note: Note:

If the CDA contains peripherals, If the CDA contains peripherals, If the CDA contains peripherals, If the CDA contains peripherals, If the CDA contains peripherals, interfaces, or ports beyond those interfaces, or ports beyond those interfaces, or ports beyond those interfaces, or ports beyond those interfaces, or ports beyond those allowed by the class criteria, the allowed by the class criteria, the allowed by the class criteria, the allowed by the class criteria, the allowed by the class criteria, the CDAs can meet this criteria by CDAs can meet this criteria by CDAs can meet this criteria by CDAs can meet this criteria by CDAs can meet this criteria by physically disabling the peripheral, physically disabling the peripheral, physically disabling the peripheral, physically disabling the peripheral, physically disabling the peripheral, interfaces or ports in a manner that interfaces or ports in a manner that interfaces or ports in a manner that interfaces or ports in a manner that interfaces or ports in a manner that prevents restoration, reactivation or prevents restoration, reactivation or prevents restoration, reactivation or prevents restoration, reactivation or prevents restoration, reactivation or bypass. bypass. bypass. bypass. bypass.

May support an interface to

May support an interface to

May support an interface to

May support an interface to

May support an interface to external devices/systems external devices/systems external devices/systems external devices/systems external devices/systems implemented using analog, implemented using analog, implemented using analog, implemented using analog, implemented using basic analog, contact, pulse process control I/O contact, pulse process control contact, pulse process control contact, pulse process control contact, pulse process control signals I/O signals I/O signals I/O signals I/O signals Location Location Location Location Location

Protected Area (PA) or Vital

Protected Area (PA) or Vital

Protected Area (PA) or Vital

Protected Area (PA) or Vital

Protected Area (PA) or Vital Area (VA) Area (VA) Area (VA) Area (VA) Area (VA)

Information Classification: Information Classification Information Classification Information Classification Information Classification

CDA contains plant process data

CDA contains plant process data

CDA contains plant process data

CDA contains plant process data

CDA contains plant process data not classified as security-related not classified as security-related not classified as security-related not classified as security-related not classified as security-related (SRI) or Safeguards Information (SRI) or Safeguards Information (SRI) or Safeguards Information (SRI) or Safeguards Information (SRI) or Safeguards Information (SGI) (SGI) (SGI) (SGI) (SGI)

Plant Design / Maintenance Plant Design / Maintenance Plant Design / Maintenance Plant Design / Maintenance Plant Design / Maintenance

Removal from service can only

Removal from service can only

Removal from service can only

Removal from service can only

Removal from service can only be done locally at the CDA be done locally at the CDA be done locally at the CDA be done locally at the CDA be done locally at the CDA D-23

NEI 13-10 (Revision 7)

October 2021 Examples of Class A.2 CDAs:

Micon model# AI-518 HANYOUNG model# BK-6 Universal PID Controller Digital Temperature Indicator Examples of Class A.3 CDAs:

CubicleBus model# 3WL11 TORAY UVT-300 Automatic low-voltage bus air breaker Water Chemical Analyzer Examples of Class B.1 CDAs:

SEL Model# 2414 Transformer Monitor VAMP 245 Feeder and Motor Protective Relay with DNP3.0 with DNP3.0 D-24

NEI 13-10 (Revision 7)

October 2021 D-25

NEI 13-10 (Revision 7)

October 2021 Examples of Class B.2 CDAs:

Omron Model# GCF-612 PLC KH300AG-Kehao-Universal Colored Recorder KOYO Click PLC Family with DNP 3.0 protocol with Modbus RTU with Ethernet and RS485 Modbus RT Examples of Class B.3 CDAs:

SEL Model 351S Multi-Function Relay Modicon Quantum PLC BOSH LTC0385 Series DinionXF with Serial DNP 3.0 Communications with Modbus-plus (MB+) Communications Security Camera D-26

NEI 13-10 (Revision 7)

October 2021 Class A.2 through B.3 Cyber Security Control Assessment Table A.3 Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Common Alternate Common Alternate Common Alternate Common Alternate Common Alternate Ctrl Control Class A.2 Basis Class A.3 Basis Class B.1 Basis Class B.2 Basis Class B.3 Basis D1.1 Access Control X X The Access Control Policy and X X The Access Control Policy and X X The Access Control Policy and X X The Access Control Policy and X X The Access Control Policy and Policy and Procedures control is a common Procedures control is a common Procedures control is a common Procedures control is a common Procedures control is a common Procedures control applicable to the licensee control applicable to the licensee control applicable to the licensee control applicable to the licensee control applicable to the licensee (D1.1) organization. Its requirements organization. Its requirements organization. Its requirements organization. Its requirements organization. Its requirements should be applied to CDAs based should be applied to CDAs based should be applied to CDAs based should be applied to CDAs based should be applied to CDAs based upon defined and documented upon defined and documented upon defined and documented upon defined and documented upon defined and documented access control policies and access control policies and access control policies and access control policies and access control policies and procedures. procedures. procedures. procedures. procedures.

D1.2 Account X In the case of CS/CDAs that do X X Although a Class A.3 CDA does X X See Class A.3 Basis. X X See Class A.3 Basis. X X See Class A.3 Basis.

Management not support multiple user accounts not have individual user accounts, (D1.2) or multi-level access based on its integral HMI provides access to separate passwords or that only both operational and configuration utilize a single, universal password settings and modifications could for all user access, this security adversely impact its safety, control would not be applicable. security, or emergency preparedness functions. Thus, the attack vector associated with this control exists and the control must be addressed. Therefore, by using the method provided in Section 3.1.6 of the CSP, this security control is addressed by the following alternative means by implementing, verifying, validating, and documenting the following:

The access enforcement mechanisms implemented to meet D1.3 are managed so that only authorized individuals have access to the CDAs HMI.

The procedures for granting, revoking, and revising the access enforcement mechanism (e.g., changing the password, the key combination) are documented and managed and include ensuring that personnel who are still authorized are made aware of the changes and that personnel whose access is revoked or no longer require access licensees promptly D-27

NEI 13-10 (Revision 7)

October 2021 Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Common Alternate Common Alternate Common Alternate Common Alternate Common Alternate Ctrl Control Class A.2 Basis Class A.3 Basis Class B.1 Basis Class B.2 Basis Class B.3 Basis recover any physical mechanism used for access (e.g., a fob, or key).

D1.3 Access X X Class A.2 CDAs have integral X X A primary attack vector associated X X See Class A.3 Basis. X X See Class A.3 Basis. X X See Class A.3 Basis.

Enforcement HMIs that allow anyone with A.3 CDAs is unauthorized (D1.3) (authorized or unauthorized) to access of operational parameters or manipulate operational parameters configuration via the HMI.

which could lead to an adverse Additionally, the CDA does not impact to SSEP functions or have the following abilities that systems or equipment that perform can be used to address this those functions. Therefore, the security:

attack vector associated with this

Assign user rights and control exists and the control must privileges on the CDA be addressed.

consistent with the user Although the A.2 CDAs lack the authorizations capability to implement this

Define and documents control, using the method provided privileged functions and in Section 3.1.6 of the licensees security-relevant cyber security plans, this security information for the control is addressed by CDAs.

implementing the following to provide equal protections as this

Authorize personnel security control: access to privileged If the CDA is not located in VA: functions and security-

The CDA is in a locked, relevant information alarmed cabinet or line- consistent with supervised and tampered established policies and cabinet and procedures.

The alarm is monitored so that

Restrict access to all alarms are immediately privileged functions assessed to determine whether (deployed in hardware, the access to the cabinet is software, and firmware) authorized and this assessment and security-relevant process is documented in a information to authorized plant procedure and personnel (e.g., security

The access to the cabinet is administrators).

controlled so that only authorized individuals are

Define and documents permitted access to the cabinet privileged functions for and CDAs.

Documented procedures are

Require dual used when authorizing authorization for critical individuals access to the privileged functions and cabinet as well as when to create any privileged issuing those personnel a key access for users.

to the cabinet.

As a result, this security control is For Class A.2 devices in a Vital address by using its self-protection Area, the licensees can address the mechanism (e.g., password, key) to restrict HMI user access; D-28

NEI 13-10 (Revision 7)

October 2021 Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Common Alternate Common Alternate Common Alternate Common Alternate Common Alternate Ctrl Control Class A.2 Basis Class A.3 Basis Class B.1 Basis Class B.2 Basis Class B.3 Basis required security controls that however, they do not have the address unauthorized manipulation ability to log attempts to bypass of operating parameters via the those mechanisms. Additionally, HMI by implementing the using the method provided in measures described above, or by Section 3.1.6 of the CSP, this verifying and documenting that the security control is addressed by Licensee has established, implementing the measures implemented, and maintains a list described in control D1.2 and of individuals who are authorized D1.5.

to have unescorted access to Alternate method:

specific nuclear power plant vital areas during non-emergency The CDA does not support conditions. The list must include individual user identifiers, but only those individuals who have a does support authenticators which continued need for access to those are able to be implemented to specific vital areas in order to authenticate users prior to access perform their duties and to the device. Implementation of responsibilities. The list must be Authentication Mechanisms approved by a cognizant licensee provides protection for manager or supervisor who is unauthorized access to devices.

responsible for directing the work activities of the individual who is Alternate method:

granted unescorted access to each The device is located inside the vital area, and updated and re- protected area and is in a approved no less frequently than physically secure cabinet (for every 31 days. example, has locking mechanism such as key lock or tamper tape) where the locking mechanism is authorized for use through a work authorization process (for example, work order).

Alternate method:

The device is located in the Control Room, Central Alarm Station (CAS), or Secondary Alarm Station (SAS).

D1.4 Information Flow X By definition, a Class A.2 CDA X By definition, a Class A.3 CDA X By definition, a Class B.1 CDA is X X By definition, a Class B.2 CDA is X X By definition, a Class B.3 CDA is Enforcement has no communication ports or has no communication ports or factory-programmed and/or factory-programmed and/or factory-programmed and/or (D1.4) interfaces (or they have been interfaces (or they have been designed to only allow CDA designed to allow CDA designed to allow CDA physically disabled), other than the physically disabled), other than the information extraction through the information extraction through the information extraction through the special-purpose connection which special-purpose connection used asynchronous serial asynchronous serial asynchronous serial is used exclusively for for configuration of the Class A.3 communications channel using communications channel using communications channel using configuration of the Class A.2 CDAs and the maintenance tool is poll-response based message poll-response based message poll-response based message CDAs. Therefore, the attack vector not connected to another device or exchanges and does not support exchanges in an industrial exchanges in an industrial associated with this control does network when connected to the control execution, output protocol. The CDAs protocol. The CDAs not exist and the control is not CDA. Therefore, the attack vectors manipulation or alteration of asynchronous communication asynchronous communication required. associated with this security settings, code, instructions or the protocols also support pre- protocols also support pre-control do not exist, and this configuration of the CDA. configured control function configured control function security control is not required. Therefore, the attack vectors execution, output (analog, pulse, execution, output (analog, pulse, D-29

NEI 13-10 (Revision 7)

October 2021 Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Common Alternate Common Alternate Common Alternate Common Alternate Common Alternate Ctrl Control Class A.2 Basis Class A.3 Basis Class B.1 Basis Class B.2 Basis Class B.3 Basis associated with this security and/or contact) manipulations and/or contact) manipulations control does not exist, and this (which may include controlling (which may include controlling security control is not required. plant equipment), and alteration of plant equipment). The operational parameters but not asynchronous serial alteration of configuration settings communication capabilities or the program code of the CDA. include the ability to make Therefore, the attack vectors alterations to CDA configuration associated with illegal or settings and possibly the functional unauthorized information flows capabilities of the CDA (but not its exist, and this security control program code). Therefore, the must be addressed. Since the B.2 attack vectors associated with CDAs lack the capability to illegal or unauthorized information implement this control, using the flows exist, and this security method provided in Section 3.1.6 control must be addressed. Since of the cyber security plan, this the B.3 CDAs lack the capability security control is alternately to implement this control, using addressed by the method provided in Section 3.1.6 of the cyber security plan,

1) Inheriting the cyber security this security control is addressed protections from the by system/device to which the CDA is communicating using 1) Inheriting the cyber security the industrial protocols by protections from the identifying those system/device to which the systems/devices as CDAs and CDA is communicating using protecting them accordingly, the industrial protocols by and identifying those systems/devices as CDAs and

2) By implementing the control protecting them accordingly, measures described in control and D3.6 below.

2) By implementing the control measures described in control D3.6 below.

D1.5 Separation of X X Class A.2 CDAs have integral X X See Class A.2 Basis. X X See Class A.2 Basis. X X See Class A.2 Basis. X X See Class A.2 Basis.

Functions (D1.5) HMIs that allow anyone (authorized or unauthorized) to manipulate operational parameters which could lead to an adverse impact to SSEP functions.

Therefore, the attack vector associated with this control exists and the control must be addressed.

One method to address this security control is by verifying, validating, and documenting the following to ensure that no single individual has functional control over, or responsibility for, all of the factors and activity associated with operational parameter or configuration changes of the CDA:

D-30

NEI 13-10 (Revision 7)

October 2021 Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Common Alternate Common Alternate Common Alternate Common Alternate Common Alternate Ctrl Control Class A.2 Basis Class A.3 Basis Class B.1 Basis Class B.2 Basis Class B.3 Basis

Per licensee plant procedures, the work order for maintenance activities for the CDA is managed and authorized by an individual other than the person performing the maintenance.

Per licensee plant procedures, scheduling of maintenance work and assignment maintenance personnel for the work is performed by individuals other than the individual performing the work

Per licensee plant procedures, access to the specialized tools or keys to access cabinet is controlled by personnel other than the personnel performing the maintenance.

Ensures that those individuals are trustworthy and reliable per 10 CFR 73.56.

D1.6 Least Privilege X Class A.2 CDAs have integral X Class A.3 CDAs have self- X See Class A.3 Basis. X See Class A.3 Basis. X See Class A.3 Basis.

(D1.6) HMIs that allow anyone protection mechanism (e.g.,

(authorized or unauthorized) to password, key) to restrict HMI manipulate operational parameters user access; however, they do not which could lead to an adverse have the ability to assign the impact to SSEP functions. restrictive set of rights/privileges Therefore, the attack vector or access needed by users for the associated with this control exists performance of specified tasks.

and the control must be addressed. The integral HMI allows Using the method provided in manipulation of operational and Section 3.1.6 of the cyber security configuration parameters that plan, this security control is could lead to an adverse impact to addressed by the security measures SSEP functions. Therefore, the implemented to address D1.3 and attack vector associated with this D1.5 as alternate security control exists and the control must measures that provide equal be addressed. Using the method protection as this security control. provided in Section 3.1.6 of the cyber security plan, this security control is addressed by implementing the measures described in control D1.3 and D1.5 as described above.

D-31

NEI 13-10 (Revision 7)

October 2021 Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Common Alternate Common Alternate Common Alternate Common Alternate Common Alternate Ctrl Control Class A.2 Basis Class A.3 Basis Class B.1 Basis Class B.2 Basis Class B.3 Basis D1.7 Unsuccessful X Class A.2 CDAs do not support X X A primary attack vector associated X X See Class A.3 Basis. X X See Class A.3 Basis. X X See Class A.3 Basis.

Login Attempts passwords therefore there is no with A.3 CDAs is unauthorized (D1.7) requirement to address attack access of operational parameters or vectors associate with password configuration via the HMI. Class guessing. Therefore, this control A.3 CDAs have a self-protection does not apply and is not required. mechanism (e.g., password, key) to restrict HMI user access; however, they do not have the ability to log attempts to bypass those mechanisms. Unauthorized access to the HMI could enable alteration of configuration settings that could adversely impact SSEP functions.

Therefore, this control must be addressed. Using the method provided in Section 3.1.6 of the cyber security plan, this security control is addressed by implementing the following measures:

Either this security control is address by using its self-protection mechanism (e.g.,

password, key) to restrict HMI user access and by using the security measures implemented to address the security controls D1.3 and D1.5.

Or else the licensee has verified and documented the following to address this security control:

The CDA is in a locked, alarmed cabinet and the alarm is monitored in real time and immediately assessed, following a documented procedure, to determine whether access to the cabinet is authorized.

If the CDA is in a locked cabinet but it is not an alarmed cabinet, the licensee implements measures (e.g., security officer rounds and periodic monitoring of tamper seals) to detect D-32

NEI 13-10 (Revision 7)

October 2021 Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Common Alternate Common Alternate Common Alternate Common Alternate Common Alternate Ctrl Control Class A.2 Basis Class A.3 Basis Class B.1 Basis Class B.2 Basis Class B.3 Basis unauthorized access to the CDA.

Access to the cabinet is controlled and managed so that only authorized individuals are permitted access to the cabinet, and documented procedures are used when authorizing individuals access to the locked cabinet as well as when issuing those personnel a key to open the cabinet.

Alternate method:

The Device is located in the Control Room, Central Alarm Station (CAS), or Secondary Alarm Station (SAS).

Alternate method:

Tamper tape, security rounds, operator rounds provide detection of attempts of unauthorized access D1.8 System Use X X Although the Class A.2 CDA lacks X X See Class A.2 Basis. X X See Class A.2 Basis. X X See Class A.2 Basis. X X See Class A.2 Basis.

Notification the technical capability to (D1.8) implement the control, the attack vectors associated with this control still exist (unauthorized access),

and therefore this control is applicable to the Class A.2 CDAs and will be addressed by providing an equivalent alternative countermeasure. The plant access authorization program requires that each individual granted access to the site to sign a document that describes his/her responsibilities.

This is an acceptable alternative countermeasure for this device type.

Alternatively, the control itself requires/allows for the use of physical notices in cases in which a CDA cannot support automated D-33

NEI 13-10 (Revision 7)

October 2021 Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Common Alternate Common Alternate Common Alternate Common Alternate Common Alternate Ctrl Control Class A.2 Basis Class A.3 Basis Class B.1 Basis Class B.2 Basis Class B.3 Basis mechanisms for System Use Notifications.

D1.9 Previous Logon X Class A.2 CDAs have integral X Class A.3 CDAs have a self- X See Class A.3 Basis. X See Class A.3 Basis. X See Class A.3 Basis.

Notification HMIs that allow anyone protection mechanism (password, (D1.9) (authorized or unauthorized) to key, etc.) to restrict HMI user manipulate operational parameters access; however, they do not have which could lead to an adverse the ability to log the use of those impact to SSEP functions. mechanisms. Unauthorized access Therefore, the attack vector to the HMI could enable alteration associated with this control exists of configuration settings which and the control must be addressed. could adversely impact SSEP Using the method provided in functions. Thus, the attack vector Section 3.1.6 of the cyber security associated with this control exists plan, this security control is and the control must be addressed.

addressed by the security measures This security control is addressed implemented to address D1.3 and by security measures implemented D1.5 as alternate security to address D1.7 as an alternative measures that provide equal security control.

protection as this security control.

D1.10 Session Lock X X Unauthorized manipulation of X X See Class A.2 Basis X X See Class A.3 Basis. X X See Class A.3 Basis. X X See Class A.3 Basis.

(D1.10) Class A.2 CDAs HMI could lead Alternate method:

to adverse impacts to SSEP functions.

Logically lock the device Therefore, the attack vector upon leaving the device.

associated with this control exists and the control must be addressed.

Ensure that individuals Since the A.2 CDAs lack the who have access to the capability to implement this CDA are qualified, and control, using the method provided

Ensure that those in Section 3.1.6 of the cyber individuals are security plan, this security control trustworthy and reliable is addressed (1) by the security per 10 CFR 73.56.

measures implemented to address D1.3 and D1.5 and (2) by Alternate method:

verifying, validating, and The device is located in the documenting that licensees have Control Room, Central Alarm plant procedures that require Station (CAS), or Secondary authorized personnel to physically Alarm Station (SAS).

remain in continual attendance at the CDA/cabinet as long as the cabinet containing the CDA remains open and unlocked; or by doing the following:

Physically restrict access to the CDA,

Monitor and record physical access to the CDA to timely detect and respond to intrusions, D-34

NEI 13-10 (Revision 7)

October 2021 Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Common Alternate Common Alternate Common Alternate Common Alternate Common Alternate Ctrl Control Class A.2 Basis Class A.3 Basis Class B.1 Basis Class B.2 Basis Class B.3 Basis

Use auditing/validation measures (e.g., security guard rounds, periodic monitoring of tamper seals)to detect unauthorized access and modifications to the CDAs,

Ensure that individuals who have access to the CDA are qualified, and

Ensure that those individuals are trustworthy and reliable per 10 CFR 73.56 Alternate method: The device is located in the Control Room, Central Alarm Station (CAS), or Secondary Alarm Station (SAS).

D1.11 Supervision and X Class A.2 CDAs have integral X Class A.3 CDAs have a self- X See Class A.3 Basis. X See Class A.3 Basis. X See Class A.3 Basis.

Review - Access HMIs that allow anyone protection mechanism (password, Control (D1.11) (authorized or unauthorized) to key, etc.) to restrict HMI user manipulate operational parameters access; however, they do not have which could lead to an adverse the ability to log the use of those impact to SSEP functions. mechanisms. Unauthorized access Therefore, the attack vector to the HMI could enable alteration associated with this control exists of configuration settings which and the control must be addressed. could adversely impact SSEP Using the method provided in functions. Thus, the attack vector Section 3.1.6 of the cyber security associated with this control exists plan, this security control is and the control must be addressed.

addressed by the security measures By using the method provided in implemented to address D1.3 and Section 3.1.6 of the cyber security D1.5 as alternate security plan, this security control is measures that provide equal addressed by verifying and protection as this security control. documenting the review of the measures implemented to address D1.3 and by addressing any identified abnormalities based on licensees procedures for detecting and responding to potential security concerns.

D1.12 Permitted X Class A.2 CDAs have integral X Class A.3 CDAs have integral self- X See Class A.3 Basis. X X Class B.2 CDAs, if they have an X X See Class B.2 Basis.

Actions Without HMIs that allow anyone protection mechanisms (password, integral, local HMI, also have Identification and (authorized or unauthorized) to key) to control access to their integral self-protection Authentication manipulate operational parameters HMIs and thus do not permit use mechanisms (e.g., password, key)

(D1.12) which could lead to an adverse of the integral HMIs without to control access to their HMIs and impact to SSEP functions. authentication. Thus, this security thus do not permit use of the However, access to the CDA is control is not applicable. integral HMIs without controlled and managed by authentication. Thus, this security D-35

NEI 13-10 (Revision 7)

October 2021 Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Common Alternate Common Alternate Common Alternate Common Alternate Common Alternate Ctrl Control Class A.2 Basis Class A.3 Basis Class B.1 Basis Class B.2 Basis Class B.3 Basis security measures implemented to control is not applicable.

address D1.3 and D1.5, and Note: If B.2 CDAs allow therefore, no one can access the personnel to perform certain integral HMI unless the user is actions during an emergency authorized and provided means to condition, this security control access the locked and alarmed applies. This security control is cabinet of the A.2 CDAs as address by identifying and described in D1.3 and D1.5.

documenting plant procedures that Therefore, the attack vector accomplish the following:

associated with this control does not exist and this control is not

Specify plant personnel applicable. actions that the personnel can perform on CDAs during normal and emergency conditions without identification or authentication.

Specify actions that plant personnel can perform without identification and authentication.

D1.13 Automated X A Class A.2 CDA by definition X See Class A.2 Basis. X See Class A.2 Basis. X See Class A.2 Basis. X See Class A.2 Basis.

Marking (D1.13) does not contain any SGI or SRI information, and thus the attack vector addressed by this control does not exist and the control is not required.

D1.14 Automated X A Class A.2 CDA by definition X See Class A.2 Basis. X See Class A.2 Basis. X See Class A.2 Basis. X See Class A.2 Basis.

Labeling (D1.14) has no peripherals or interfaces and thus no capability to generate computer-readable output. Plus, a Class A.2 CDA does not contain any SGI or SRI information. Thus, the attack vector addressed by this control does not exist and the control is not required.

D1.15 Network Access X By definition, a Class A.2 CDA X See Class A.2 Basis. X See Class A.2 Basis. X By definition, a Class B.2 CDA X By definition, a Class B.3 CDA Control (D1.15) has no communication ports or has only serial, asynchronous has only serial, asynchronous interfaces (or they have been communication ports or interfaces communication ports or interfaces physically disabled) and thus it is as well as a special-purpose as well as a special-purpose incapable of network connectivity connection used for the connection used for the and communication with other configuration of the Class B.2 configuration of the Class B.3 systems and devices and thus the CDAs. The serial port provides CDAs. The serial port 1) provides associated attack vector does not read/write access to CDA data plus read-only access to CDA data, 2) exist and the control is not control over outputs and pre- can send commands to the CDAs required. defined CDA functions but cannot to control the CDAs outputs be used to alter the CDAs and/or pre-defined CDA functions, functionality, configuration and 3) can be used to alter the settings, or program code. CDAs functionality by Therefore, the attack vectors modification of its configuration D-36

NEI 13-10 (Revision 7)

October 2021 Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Common Alternate Common Alternate Common Alternate Common Alternate Common Alternate Ctrl Control Class A.2 Basis Class A.3 Basis Class B.1 Basis Class B.2 Basis Class B.3 Basis associated with illegal or settings (but not its program code).

unauthorized network access Therefore, the attack vectors (serial communication) exist. associated with illegal or Since the B.2 CDAs lack the unauthorized network access capability to implement this (serial communication) exist.

control, using the method provided Since the B.3 CDAs lack the in Section 3.1.6 of the cyber capability to implement this security plan, this security control control, using the method provided is addressed by the security in Section 3.1.6 of the cyber measures implemented to address security plan, this security control D1.4 above. is addressed by the security measures implemented to address D1.4 above.

D1.16 Open/Insecure X By definition, a Class A.2, CDA X By definition, a Class A.3 CDA X By definition, a Class B.1 CDA X By definition, a Class B.2 CDA X See Class B.2 Basis.

Protocol has no communication ports or has no communication ports or has no interfaces, peripherals or has no interfaces, peripherals, or Restrictions interfaces (or they have been interfaces (or they have been ports (or they have been physically ports (or they have been physically (D1.16) physically disabled) other than the physically disabled) and thus is disabled) other than the special disabled) other than the special special-purpose connection used incapable of supporting purpose connection used only for purpose connection used only for for configuration of the Class A.2 insecure/open protocols, network configuration purposes and serial configuration purposes and serial, CDAs. Thus, the attack vector connectivity, and communication ports for asynchronous asynchronous communication associated with this control does with other systems and devices communication using industrial ports that allow communication not exist and the control is not (with the exception being any protocols that do not contain user using industrial protocols that is required. maintenance tool used for authentication information or open and do not contain user configuration of the Class A.3 credentials. Thus, the attack vector authentication information or CDA) and thus the associated associated with this control does credentials. However, the attack vector does not exist and the not exist and the control is not system/device to which a CDA is control is not required. required. communicating is protected at the level of the CDA and the communication wiring between the CDA and the system/device are physically protected as described in the D3.6 security control. Thus, the attack vector associated with this control does not exist and the control is not required.

D1.17 Wireless Access X By definition, a Class A.2 CDA X See Class A.2 Basis. X See Class A.2 Basis. X See Class A.2 Basis. X See Class A.2 Basis.

Restrictions has no wireless communication (D1.17) functionality/capability (nor do any maintenance tool used for making configuration changes) and thus the attack vector addressed by this control does not exist and the portion of the control associated with the Class A.2 CDAs functionality is not required.

NOTE: This control also includes a requirement for periodic scans to detect unauthorized wireless D-37

NEI 13-10 (Revision 7)

October 2021 Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Common Alternate Common Alternate Common Alternate Common Alternate Common Alternate Ctrl Control Class A.2 Basis Class A.3 Basis Class B.1 Basis Class B.2 Basis Class B.3 Basis connectivity to plant LANs containing CDAs. That requirement is separate from the elements of the control that pertain to the individual CDAs themselves (see above) and monthly scans will be made for unauthorized wireless devices per plant procedure.

D1.18 Insecure and X A Class A.2 CDA by definition X See Class A.2 Basis. X The licensees verified and X X B.2 CDAs has one serial X X See Class B.2 Basis.

Rogue has no communication documented that B.1 CDA has one asynchronous communication port Connections functionality/capability (except for or more serial asynchronous that allows communication using (D1.18) the maintenance tool interface, communication ports that allow an industrial, poll-response which can only be accessed by communication using an industrial, protocol with pre-defined taking the CDA out of service), no poll-response protocol with pre- functionality. The licensee peripherals, no interfaces (except defined functionality. If the CDA verified and documented that the for the local/integral limited- supports multiple serial ports then system/device to which CDA is functionality HMI), and no any such ports not being used must communicating is protected as a wireless communications be physically disabled. The CDA CDA and the communication connectivity/functionality and thus has no other peripherals, interfaces wiring between the CDA and the the attack vector addressed by this or ports (or they have been system/device are physically control does not exist and the physically disabled.) Thus, the protected as described in D3.6 control is not required. attack vector associated with this security control. Thus, the attack control does not exist and the vector associated with this control control is not required. does not exist and the control is not required.

However, if the B.2 CDA has more than one serial asynchronous communication ports that allow communication using an industrial, poll-response protocol with pre-defined functionality, the attack vectors associated with this security control exist. This security control is addressed by licensees verifying and documenting that (1) the communication wiring between the CDA and the system/device are physically protected as described in the D3.6 security control and (2) ports not being used are physically disabled and periodically verified that these ports remained physically disabled. The periodicity is in accordance with the licensees cyber security plans.

D1.19 Access Control X X The configuration of the Class A.2 X X See Class A.2 Basis. X X See Class A.2 Basis. X X See Class A.2 Basis. X X See Class A.2 Basis.

for Portable and CDA can be altered via a Mobile Devices maintenance tool. Such D-38

NEI 13-10 (Revision 7)

October 2021 Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Common Alternate Common Alternate Common Alternate Common Alternate Common Alternate Ctrl Control Class A.2 Basis Class A.3 Basis Class B.1 Basis Class B.2 Basis Class B.3 Basis (D1.19) modifications, made maliciously or accidentally, could change the A.2 CDAs functions and could cause adverse impacts to the CDAs SSEP functions. The maintenance tool provides an attack vector and thus this security control needs to be addressed. The security control is addressed by the following:

Establishing and documenting the usage restrictions and implementation guidance for controlled portable and mobile devices

Authorizing, monitoring, and controlling device (e.g.,

maintenance tool) access to CDAs

Enforcing and documenting that maintenance tool security and integrity are maintained at a level consistent with the B.1 CDA that the maintenance tool supports Enforcing and documenting that the maintenance tool is only used in one security level and is not moved between security levels D1.20 Proprietary X By definition, a Class A.2 CDA X See Class A.2 Basis. X By definition, a Class B.1 CDA X See Class B.1 Basis. X See Class B.1 Basis.

Protocol has no communication ports or has no network connectivity, ports Visibility interfaces (or they have been or interfaces (or they have been (D1.20) physically disabled) and thus is physically disabled) other than one incapable of supporting or more asynchronous serial insecure/open protocols, network connections configured for well-connectivity, and communication known industrial protocols. The with other systems and devices B.1 CDA does not use any (with the exception being any proprietary protocols that would maintenance tool used for prevent the licensee from configuration of the Class A.2 detecting unauthorized or CDA) and thus the associated malicious activity Therefore the attack vector does not exist and attack vector associated with this the control is not required. control does not exist and the control is not required D1.21 Third Party X The intent of this control is to X See Class A.2 Basis. X See Class A.2 Basis. X See Class A.2 Basis. X See Class A.2 Basis.

Products and ensure the inability to:

Controls (D1.21)

D-39

NEI 13-10 (Revision 7)

October 2021 Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Common Alternate Common Alternate Common Alternate Common Alternate Common Alternate Ctrl Control Class A.2 Basis Class A.3 Basis Class B.1 Basis Class B.2 Basis Class B.3 Basis (1) install third-party system-

/network-level protection due to a vendor or licensing conflict, or (2) install third party system-

/network-level protection due to a potential loss of service support from a vendor, does not cause the security posture of the CDA to be less than is needed to meet the performance requirements of the rule or to support he licensees overall CSP defensive model.

These CDAs by definition do not support installation of third-party software: therefore, this control is not applicable.

D1.22 Use of External X By definition, a Class A.2 CDA X As described in the justifications X As described in the justifications X See Class B.1 Basis. X See Class B.1 Basis.

Systems (D1.22) has no communication ports or for security control D.1.18, the for security control D1.18, the interfaces (or they have been licensee verified and documented licensee verified and documented physically disabled) other than the that a Class A.3 CDA has no that a Class B.1 CDA has only special-purpose connection used communication ports or interfaces serial, asynchronous for configuration of the Class A.2 (or they have been physically communication ports and no other CDAs. Therefore, the attack vector disabled) other than the special- peripherals or interfaces (or they associated with this control does purpose connection used for have been physically disabled), as not exist and the control is not configuration of the Class A.3 well as a special-purpose required. CDAs. Additionally, when connection used for configuration maintenance tools are used with of the Class B.1 CDAs. The serial the CDA they are not connected to ports are configured to use an a network or other devices at the industrial protocol with pre-same time. Therefore, the attack defined message types and vector associated with this control commands. Additionally, when does not exist and the control is maintenance tools are used with not required. the CDA, they are not connected to a network or other devices at the same time and the licensee has verified that any system communicating with the CDA has been protected at the same level as the CDA. Therefore, the attack vector associated with this control does not exist and the control is not required.

D1.23 Public Access X A Class A.2 CDA by definition X See Class A.2 Basis. X See Class A.2 Basis. X See Class A.2 Basis. X See Class A.2 Basis.

Access does not contain any SGI or SRI Protections information, and thus the attack (D1.23) vector addressed by this control does not exist and the control is not required.

D-40

NEI 13-10 (Revision 7)

October 2021 Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Common Alternate Common Alternate Common Alternate Common Alternate Common Alternate Ctrl Control Class A.2 Basis Class A.3 Basis Class B.1 Basis Class B.2 Basis Class B.3 Basis D2.1 Audit and X X The Audit and Accountability X X The Audit and Accountability X X The Audit and Accountability X X The Audit and Accountability X X The Audit and Accountability Accountability Policy and Procedures control is a Policy and Procedures control is a Policy and Procedures control is a Policy and Procedures control is a Policy and Procedures control is a Policy and common control applicable to the common control applicable to the common control applicable to the common control applicable to the common control applicable to the Procedures licensee organization. Its licensee organization. Its licensee organization. Its licensee organization. Its licensee organization. Its (D2.1) requirements should be applied to requirements should be applied to requirements should be applied to requirements should be applied to requirements should be applied to CDAs based upon defined and CDAs based upon defined and CDAs based upon defined and CDAs based upon defined and CDAs based upon defined and documented auditing and documented auditing and documented auditing and documented auditing and documented auditing and accountability policies and accountability policies and accountability policies and accountability policies and accountability policies and procedures. procedures. procedures. procedures. procedures.

D2.2 Auditable Events X X Class A.2 CDAs have integral X X See Class A.2 Basis. X X See Class A.2 Basis. X X See Class A.2 Basis. X X See Class A.2 Basis.

(D2.2) HMIs that allow anyone (authorized or unauthorized) to manipulate operational parameters which could lead to an adverse impact to SSEP functions.

Therefore, the attack vector associated with this control exists and the control must be addressed.

Using the method provided in Section 3.1.6 of the cyber security plan, this security control is addressed by documenting the following as the auditable events for Class A.2 CDAs:

1. Unexpected failures of the CDA;

2. Unexplained behavior of the CDA;

3. Configuration of CDA changes; and,

4. Unauthorized access is detected.

These elements are to be included within the audits described in D2.6.

D2.3 Content of Audit X X Class A.2. CDAs do not have the X X See Class A.2 Basis. X X See Class A.2 Basis. X X See Class A.2 Basis. X X See Class A.2 Basis.

Records (D2.3) ability to log and record user activities, therefore, by using the method describe in Section 3.1.6 of the cyber security plant, this control is addressed by security measures that are implemented by the following:

Documenting the D1.2 security activities;

Reviewing information collected under the licensees current maintenance, testing, calibration, and identifying D-41

NEI 13-10 (Revision 7)

October 2021 Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Common Alternate Common Alternate Common Alternate Common Alternate Common Alternate Ctrl Control Class A.2 Basis Class A.3 Basis Class B.1 Basis Class B.2 Basis Class B.3 Basis the information that will be used to support the detection of the unauthorized access to the CDA and to perform security incident analysis.

D2.4 Audit Storage X A Class A.2 CDA is incapable of X See Class A.2 Basis. X See Class A.2 Basis. X See Class A.2 Basis. X See Class B.2 Basis.

Capacity (D2.4) logging/recording user activities Additionally, a Class B.2 CDA is performed through its integral incapable of logging/recording HMI. The audit information communications (commands) from associated with the user activities the system/device to which the performed via the CDAs HMI are CDA is communicating.

manual collected and therefore, the However, the system/device to attack vectors associated with this which the CDA is communicating security do not exist. Thus, this maintains logging information in security control is not applicable.

order to address this security control. Thus, by using the method provided in Section 3.1.6 of the CSP, this security control is addressed by verifying that the system/device to which the CDA is communicating logs applicable communications to the CDA and inheriting it.

D2.5 Response to X A Class A.2 CDA has a local X See Class A.2 Basis. X See Class A.2 Basis. X A Class B.2 CDA may have a X See Class B.2 Basis.

Audit Processing integral HMI as its only user local integral HMI as its only user Failures (D2.5) interface and incapable of interface and is incapable of logging/recording user activities logging/recording user activities performed through that HMI. The performed through that HMI. The audit information associated with audit information associated with the user activities of Class A.2 the user activities of Class B.2 CDAs are manual collected and CDAs is manually recorded and therefore, the attack vectors therefore, the attack vectors associated with this security do not associated with this security do not exist. Thus, this security control is exist relative to the integral HMI.

not applicable. Thus, this security control is not applicable for attack vectors associated with the integral HMI.

However, although a Class B.2 CDA is incapable of logging/recording communications (commands) from the system/device to which the CDA is communicating, the system/device to which the CDA is communicating maintains logging information. Thus, this security control is addressed by the system/device that sent such messages (e.g., an operator workstation) and using Section D-42

NEI 13-10 (Revision 7)

October 2021 Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Common Alternate Common Alternate Common Alternate Common Alternate Common Alternate Ctrl Control Class A.2 Basis Class A.3 Basis Class B.1 Basis Class B.2 Basis Class B.3 Basis 3.1.6 of the cyber security plan, the B.2 CDA inherits the protections provided by the system/device.

D2.6 Audit Review, X X Class A.2 CDAs are incapable of X X See Class A.2 Basis. X X See Class A.2 Basis. X X See Class A.2 Basis. X X See Class B.2 Basis.

Analysts and logging/recording user activities Additionally, although a Class B.2 Reporting (D2.6) performed through their HMI. The CDA is incapable of audit information associated with logging/recording communications the user activities of Class A.2 (commands) from the CDAs is manually collected.

system/device to which the CDA Thus, by using the method is communicating, the provided in Section 3.1.6 of the system/device to which the CDA cyber security plan, this security is communicating maintains control is addressed by logging information. Thus, this periodically reviewing (manual security control is addressed by the reviews) the information collected system/device that sent such under D2.2 and D2.3. Periodicity messages (e.g., an operator is consistent with the cyber workstation) and using Section security plan.

3.1.6 of the cyber security plan, the B.2 CDA inherits the protections provided by the system/device.

D2.7 Audit Reduction X Class A.2 CDAs are incapable of X X A Class A.3 CDA does not have X X See Class A.3 Basis. X X See Class A.3 Basis. X X See Class A.3 Basis.

and Report logging/recording user activities capability to collect and record Generation performed through the HMI. The user activities performed through (D2.7) audit information associated with its integral HMI. The log the user activities of Class A.2 information associated with the CDAs are manually collected and users activities performed through therefore the attack vector the integral HMI is manually associated with this cyber security collected and reviewed and control does not exist. evaluated separate from the CDA.

Thus, by using the method provided in Section 3.1.6 of the cyber security plan, this security control is addressed by periodically reviewing (manual reviews) the information collected under D2.2 and D2.3. Periodicity is consistent with the cyber security plan.

D2.8 Time Stamps X X Since a Class A.2 CDA is X X See Class A.2 Basis. X X See Class A.2 Basis. X X See Class A.2 Basis. X X See Class B.2 Basis.

(D2.8) incapable of collecting log Additionally, for auditable events information (if it has an integral initiated via industrial protocol HMI), that information is to be messages sent over a CDAs manually collected per the asynchronous serial measures specified in D2.3 and as communication channels and the part of those measures the date and time stamping of those events, this time of events are manually security control is addressed by recorded as an alternative having the system/device that sent countermeasure.

D-43

NEI 13-10 (Revision 7)

October 2021 Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Common Alternate Common Alternate Common Alternate Common Alternate Common Alternate Ctrl Control Class A.2 Basis Class A.3 Basis Class B.1 Basis Class B.2 Basis Class B.3 Basis such messages (e.g., an operator workstation) apply the time tags.

Therefore, by using Section 3.1.6 of the cyber security plan, this security control is addressed by the licensee verifying and documenting that the time stamping of the auditable events are addressed by the system/device and the B.2 CDA inherits the protection.

D2.9 Protection of X X Class A.2 CDAs are incapable of X X See Class A.2 Basis. X X See Class A.2 Basis. X X See Class A.2 Basis. X X See Class B.2 Basis.

Audit logging/recording user activities Additionally, although a Class B.2 Information performed through the HMI. The CDA is incapable of (D2.9) audit information associated with logging/recording communications the user activities of Class A.2 (commands) from the CDAs are manually collected.

system/device to which the CDA Therefore, using the method is communicating, the provided in Section 3.1.6 of the system/device to which the CDA cyber security plan this control is is communicating maintains addressed by plant procedures logging information. Thus, this protecting the information security control is addressed by the collected under D2.3 from system/device that sent such falsification or unauthorized messages (e.g., an operator modification.

workstation) and using the Section 3.1.6 of the cyber security plan, the B.2 CDA inherits the protections provided by the system/device.

D2.10 Non-Repudiation X Class A.2 CDAs are incapable of X See Class A.2 Basis. X See Class A.2 Basis. X See Class A.2 Basis. X See Class A.2 Basis.

(D2.10) logging/recording user activities performed through the HMIs (if they have one). The audit information associated with the user activities of Class A.2 CDAs is manually collected. By using the method provided in Section 3.1.6 of the cyber security plan, this control is addressed by control D2.9.

D2.11 Audit Record X X X The information collected under X X X See Class A.2 Basis. X X X See Class A.2 Basis. X X X See Class A.2 Basis. X X X See Class A.2 Basis.

Retention D2.2 is retained in accordance (D2.11) with NRC record retention regulations.

D2.12 Audit Generation X By definition, a Class A.2 CDA X See Class A.2 Basis. X See Class A.2 Basis. X See Class A.2 Basis. X See Class A.2 Basis.

(D2.12) does not log/record user activity via the local/integral HMI or the special maintenance and configuration tool. For the Class A.2 CDAs, the audit information is D-44

NEI 13-10 (Revision 7)

October 2021 Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Common Alternate Common Alternate Common Alternate Common Alternate Common Alternate Ctrl Control Class A.2 Basis Class A.3 Basis Class B.1 Basis Class B.2 Basis Class B.3 Basis manually collected. By using the method provided in Section 3.1.6 of the cyber security plan, this security control is addressed by security measure taken by the licensee to address controls D2.2 and D2.3 and any identified security issues are put into the licensees CAP program to ensure that those issues are promptly documented and tracked.

D3.1 CDA, System X X The CDA, System and X X The CDA, System and X X The CDA, System and X X The CDA, System and X X The CDA, System and and Communications Protection Policy Communications Protection Policy Communications Protection Policy Communications Protection Policy Communications Protection Policy Communications and Procedures control is a and Procedures control is a and Procedures control is a and Procedures control is a and Procedures control is a Protection Policy common control applicable to the common control applicable to the common control applicable to the common control applicable to the common control applicable to the and Procedures licensee organization. Its licensee organization. Its licensee organization. Its licensee organization. Its licensee organization. Its (D3.1) requirements should be applied to requirements should be applied to requirements should be applied to requirements should be applied to requirements should be applied to CDAs based upon defined and CDAs based upon defined and CDAs based upon defined and CDAs based upon defined and CDAs based upon defined and documented system and documented system and documented system and documented system and documented system and communication protection policies communication protection policies communication protection policies communication protection policies communication protection policies and procedures. and procedures. and procedures. and procedures. and procedures.

D3.2 Application X The Class A.2 CDA does not X See Class A.2 Basis. X The Class B.1 CDA does not X See Class B.1 Basis. X See Class B.1 Basis.

Partitioning/Secu support any security functionality support any security functionality rity Function and the licensee verified that its and the licensee verified its Isolation (D3.2) vendor-provided software is vendor-provided software is designed to ensure that its essential designed to ensure that its essential SSEP functionality is not disrupted SSEP functionality is not disrupted or adversely impacted because of or adversely impacted because of user interaction via the user interaction via the local/integral HMI. Thus, the local/integral HMI or due to the attack vector addressed by this use of the serial communication control does not exist and the port(s). Thus, the attack vector control is not required. addressed by this control does not exist and the control is not required.

D3.3 Shared X The Class A.2 CDA device does X See Class A.2 Basis. X See Class A.2 Basis. X See Class A.2 Basis. X See Class A.2 Basis.

Resources (D3.3) not share any resources or use any shared resources and it does not contain any SRI or SGI of value to an adversary. Thus, the attack vector associated with this control does not exist and the control is not required.

D3.4 Denial of Service X The Class A.2 CDA device has no X Licensee verified that the Class X Licensee verified that the Class X See Class B.1 Basis. X See Class B.1 Basis.

Protection (D3.4) interfaces or peripherals aside A.3 CDA has no interfaces or B.1 CDA has no interfaces or from its integral HMI, and the peripherals aside from its integral peripherals aside from its integral licensee verified the HMI cannot HMI and any I/O it supports, and HMI (if it has one), asynchronous cause a denial of service attack, the licensee verified that the HMI serial ports and any I/O it supports, and thus the attack vector cannot cause a denial of service and the licensee verified that the associated with this control does attack, and thus the attack vector HMI and serial communications D-45

NEI 13-10 (Revision 7)

October 2021 Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Common Alternate Common Alternate Common Alternate Common Alternate Common Alternate Ctrl Control Class A.2 Basis Class A.3 Basis Class B.1 Basis Class B.2 Basis Class B.3 Basis not exist and the control is not associated with this control does cannot cause a denial of service required. not exist and the control is not attack, and thus the attack vector required. associated with this control does not exist and the control is not required.

D3.5 Resource Priority X The licensee verified that the Class X See Class A.2 Basis. X See Class A.2 Basis. X See Class A.2 Basis. X See Class A.2 Basis.

(D3.5) A.2 CDAs perform real-time processing, do not support multiple processes or threads running simultaneously, and that this Class A.2 CDA contains no additional resources requiring prioritization. The attack vector associated with this control does not exist and the control is not required.

D3.6 Transmission X By definition, a Class A.2, CDA X The By definition, Class A.3 X By definition, a Class B.1 CDA is X X By definition, a Class B.2 CDA X X See Class B.2 Basis.

Integrity (D3.6) has no communication ports or CDAs do not communicate with factory-programmed and/or has only serial, asynchronous interfaces (or they have been any other digital device or system designed to only allow CDA communication ports aside from physically disabled) other than the except via basic analog, contact, or information extraction through the the special connection only used special-purpose connection used pulse I/O signals that are hard- asynchronous serial for configuration of the Class B.2 for configuration of the Class A.2 wired and do not support any communications channel using CDAs and any basic analog, CDAs. Thus, the attack vector communication functionality poll-response based message contact, or pulse I/O signals. The associated with this control does (expect with the maintenance tool exchanges. Additionally, the loss industrial protocols used by these not exist and the control is not and only by taking the CDA out of or degradation of the integrity, CDAs do not support message required. service). The Class A.3 CDA is confidentiality or available of the validation and authentication physically incapable of receiving information or data from the CDA mechanisms but can be used to or transmitting any could not result in adverse impact control outputs connected to plant communications. The attack vector to SSEP functions. Therefore, equipment and control pre-associated with this control does attack vectors associated with this configured control functions [this not exist and the control is not security control does not exist and include alterations to CDA required. this security control is not configuration settings and the applicable. functional capabilities of the CDA (but not its program code)].

Therefore, the attack vector associated with this control exists.

By using the method provided in Section 3.1.6 of the CSP, this security control is addressed by physically protecting the communication to prevent tampering by using one of the following methods:

Cable are contained in metal conduit and sealed junction boxes

Ensuring cabling is in locked room, etc.) to prevent tempering.

D-46

NEI 13-10 (Revision 7)

October 2021 Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Common Alternate Common Alternate Common Alternate Common Alternate Common Alternate Ctrl Control Class A.2 Basis Class A.3 Basis Class B.1 Basis Class B.2 Basis Class B.3 Basis Cabling is in an area that contain concentrations of cables (e.g. cable spreading rooms, cable vaults, junction boxes, cable panels, cable trays, etc.); the cables are not easily accessible (physical contact without the aid of scaffolding or a ladder); and the cables are not easily recognizable by an adversary.

D3.7 Transmission X By definition, a Class A.2, CDA X The Class A.3 CDAs do not X By definition, a Class B.1 CDA X See Class B.1 Basis. X See Class B.1 Basis.

Confidentiality has no communication ports or communicate with any other has serial, asynchronous (D3.7) interfaces (or they have been digital device or system (except communication ports as well as a physically disabled) other than the for the maintenance tool and only special-purpose connection used special-purpose connection used by taking the CDA out of service) for configuration of the Class B.1 for configuration of the Class A.2 except by means of analog, CDAs and no other peripherals or CDAs. Thus, the attack vector contact, and/or pulse I/O signals interfaces (or they have been associated with this control does which are hard-wired and do not hardware disabled). The industrial not exist and the control is not support any communication protocols used on the serial ports required. functionality. The Class A.3 CDA do not contain any SRI or SGI or is physically incapable of other information that requires receiving or transmitting any confidentiality. Thus, the attack communications. The attack vector vectors associated with the associated with this control does asynchronous communication not exist and the control is not channel for this security does not required. exist.

D3.8 Trusted Path X The Class A.2 CDA does not X The Class A.3 CDA has an X See Class A.3 Basis. X The Class B.2 CDA has an integral X See Class B.2 Basis.

(D3.8) support any security functionality integral limited functionality HMI limited functionality HMI and has or user authentication process and and supports no user credential no communication path between thus the attack vector associated validation, thus the attack vector the user and the security functions with this control does not exist and associated with this control does of the CDA. Thus, the attack the control is not required. not exist and the control is not vector associated with this control required. does not exist and the control is not required.

D3.9 Cryptographic X The Class A.2 CDA does not use X The Class A.3 CDA does not use X See Class A.3 Basis. X See Class A.3 Basis. X See Class A.3 Basis.

Key cryptography. Thus, the attack cryptography nor is it necessary to Establishment vector associated with this control address any of its security controls and Management does not exist and the control is including inherited controls. Thus, (D3.9) not required. the attack vector associated with this control does not exist and the control is not required.

D3.10 Unauthorized X The Class A.2 CDA is incapable X See Class A.2 Basis. X See Class A.2 Basis. X See Class A.2 Basis. X See Class A.2 Basis.

Remote of using collaborative computing Activation of mechanisms, and does not use or Services (D3.10) contain any cameras or microphones. As a result, the attack vector directly associated with this control does not exist and the control is not required.

D-47

NEI 13-10 (Revision 7)

October 2021 Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Common Alternate Common Alternate Common Alternate Common Alternate Common Alternate Ctrl Control Class A.2 Basis Class A.3 Basis Class B.1 Basis Class B.2 Basis Class B.3 Basis D3.11 Transmission of X The Class A.2 CDA does not X See Class A.2 Basis. X The Class B.1 CDA does not X See Class B.1 Basis. X See Class B.1 Basis.

Security support the transmission of support the transmission of Parameters security parameters, does not security parameters, does not (D3.11) contain any SRI or SGI of value to contain any SRI or SGI of value to an adversary, nor does it support an adversary. Communications are any type of communication limited to interfacing to a capability except for interfacing to maintenance tool and a maintenance tool (or such asynchronous serial capabilities have been physically communications using industrial disabled). As a result, the attack protocols. There are no other vector directly associated with this peripherals or interfaces (or such control does not exist and the capabilities have been physically control is not required. disabled). As a result, the attack vector directly associated with this control does not exist and the control is not required.

D3.12 Public Key X The Class A.2 CDA does not use X The Class A.3 CDA does not X See Class A.3 Basis. X See Class A.3 Basis. X See Class A.3 Basis.

Infrastructure cryptography for any of its contain any SGI or SRI Certificates capabilities and does not use or information. Additionally, the (D3.12) support public key certificates. Class A.3 CDA does not use Thus, the attack vector associated cryptography for any of its with this control does not exist and capabilities, and does not use PKI the control is not required. to support any other security control, including inherited controls. The attack vector associated with this control does not exist and the control is not required.

D3.13 Mobile Code X The Class A.2 CDA is incapable X See Class A.2 Basis. X See Class A.2 Basis. X See Class A.2 Basis. X See Class A.2 Basis.

(D3.13) of receiving, serving, or executing mobile code and has no communication capabilities except for interfacing to a maintenance tool (or such capabilities have been physically disabled). As a result, the attack vector directly associated with this control does not exist and the control is not required.

D3.14 Secure X The Class A.2 CDA does not use X See Class A.2 Basis. X See Class A.2 Basis. X See Class A.2 Basis. X See Class A.2 Basis.

Name/Address any address resolution services. As Resolution a result, the attack vector directly Service associated with this control does (Authoritative/Tr not exist and the control is not usted Source) required.

(D3.14)

D3.15 Secure X The Class A.2 CDA does not use X See Class A.2 Basis. X See Class A.2 Basis. X See Class A.2 Basis. X See Class A.2 Basis.

Name/Address any address resolution services. As Resolution a result, the attack vector directly Service associated with this control does (Recursive or not exist and the control is not D-48

NEI 13-10 (Revision 7)

October 2021 Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Common Alternate Common Alternate Common Alternate Common Alternate Common Alternate Ctrl Control Class A.2 Basis Class A.3 Basis Class B.1 Basis Class B.2 Basis Class B.3 Basis Caching required.

Resolver)

(D3.15)

D3.16 Architecture and X The Class A.2 CDA does not use X See Class A.2 Basis. X See Class A.2 Basis. X See Class A.2 Basis. X See Class A.2 Basis.

Provisioning for any address resolution services. As Name/Address a result, the attack vector directly Resolution associated with this control does Service (D3.16) not exist and the control is not required.

D3.17 Session X The Class A.2 CDA does not X See Class A.2 Basis. X By definition, a Class B.1 CDA X By definition, a Class B.2 CDA X By definition, a Class B.3 CDA Authenticity communicate with any other has no interfaces, peripherals or has no interfaces, peripherals, or has no interfaces, peripherals, or (D3.17) device except via basic analog, ports (or they have been physically ports (or they have been physically ports (or they have been physically pulse I/O, or contact. The Class disabled) other than the special disabled) other than the special disabled) other than the special A.2 CDA is otherwise physically purpose connection used only for purpose connection used only for purpose connection used only for incapable of sending or receiving configuration purposes and serial configuration purposes and serial configuration purposes and serial any communication. The Class A.2 ports for asynchronous ports for asynchronous ports for asynchronous CDA does not support communication using industrial communication using industrial communication using industrial communication sessions or protocols that are functionally protocols which do not support protocols which do not support networking functions. The attack restricted to only permit the authentication mechanisms but authentication mechanisms but vector associated with this control extraction of CDA data. Thus, the enable control of pre-defined enable control of pre-defined does not exist and the control is attack vector associated with this functions and CDA outputs functions and CDA outputs not required. control does not exist and the connected to plant equipment. connected to plant equipment and control is not required. Thus, the attack vector associated include the ability to make with this control exists. Therefore, alterations to CDA configuration by using the method provided in settings and possibly the functional Section 3.1.6 of the CSP, this capabilities of the CDA (but not its security control is addressed by program code). Thus, the attack protecting the system/device to vector associated with this control which the CDA is communicating exists. Therefore, by using the from cyber attack at the same level method provided in Section 3.1.6 of confidence as the B.2 CDA and of the CSP, this security control is by security measures implemented addressed by protecting the to address the D3.6 security system/device to which the CDA control. is communicating from cyber attack at the same level of confidence as the B.3 CDA and by security measures implemented to address the D3.6 security control.

D3.18 Thin Nodes X The licensee verified that the Class X The licensee verified that the Class X See Class A.3 Basis. X See Class A.3 Basis. X See Class A.3 Basis.

(D3.18) A.2 CDA only provides the A.3 CDA only provides the minimum capabilities to perform minimum capabilities to perform its function, supports only vendor- its function, supports only vendor-specified functionality, and its specified functionality, and its programming cannot be altered. programming cannot be altered.

Therefore, this control has been This control has been addressed by addressed by the vendor. the vendor. Thus, attack vectors associated with this security does not exist and the control is not required.

D-49

NEI 13-10 (Revision 7)

October 2021 Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Common Alternate Common Alternate Common Alternate Common Alternate Common Alternate Ctrl Control Class A.2 Basis Class A.3 Basis Class B.1 Basis Class B.2 Basis Class B.3 Basis D3.19 Confidentiality X The Class A.2 CDA does not X See Class A.2 Basis. X See Class A.2 Basis. X See Class A.2 Basis. X See Class A.2 Basis.

of Information at contain any information, settings, Rest (D3.19) or parameters that are SGI or SRI information. The attack vector associated with this control does not exist and the control is not required.

D3.20 Heterogeneity X X This security control can be X X See Class A.2 Basis. X X See Class A.2 Basis. X X See Class A.2 Basis. X X See Class A.2 Basis.

(D3.20) commonly addressed by the plant by inheriting the protection provided by the licensees program to address common mode failure issues associated with safety and security systems.

D3.21 Fail in Known X The engineering process ensures X See Class A.2 Basis. X See Class A.2 Basis. X See Class A.2 Basis. X See Class A.2 Basis.

(Safe) State and documents that components (D3.21) fail in a state that is bounded with the design basis of the plant.

D4.1 Identification and X X The Identification and X X The Identification and X X The Identification and X X The Identification and X X The Identification and Authentication Authentication Policies and Authentication Policies and Authentication Policies and Authentication Policies and Authentication Policies and Policies and Procedures control is a common Procedures control is a common Procedures control is a common Procedures control is a common Procedures control is a common Procedures control applicable to the licensee control applicable to the licensee control applicable to the licensee control applicable to the licensee control applicable to the licensee (D4.1) organization. Its requirements organization. Its requirements organization. Its requirements organization. Its requirements organization. Its requirements should be applied to CDAs based should be applied to CDAs based should be applied to CDAs based should be applied to CDAs based should be applied to CDAs based upon defined and documented upon defined and documented upon defined and documented upon defined and documented upon defined and documented identification and authentication identification and authentication identification and authentication identification and authentication identification and authentication policies and procedures. policies and procedures. policies and procedures. policies and procedures. policies and procedures.

D4.2 User X Class A.2 CDAs have integral X By definition, a Class A.3 CDA X See Class A.3 Basis. X See Class A.3 Basis. X See Class A.3 Basis.

Identification and HMIs that allow anyone have a self-protection mechanism Authentication (authorized or unauthorized) to (password, key, etc.) to restrict (D4.2) manipulate operational parameters HMI user access; however, they which could lead to an adverse do not have the ability uniquely impact to SSEP functions. For A.2 identify each user. Therefore, CDAs, the access to the CDA is using the method provided in managed by controlling the access Section 3.1.6 of the cyber security the CDAs thus using the method plan, this security control is provided in Section 3.1.6 of the addressed by implementing cyber security plan, this security security measures provided in control is addressed by the security implementing security measures measures implemented to address provided in D1.2 and D1.3.

D1.3 and D1.5 as alternate security measures that provide equal protection as this security control.

D4.3 Password X Class A.2 CDAs do not support X By definition, Class A.3 CDAs X See Class A.3 Basis. X See Class A.3 Basis. X See Class A.3 Basis.

Requirements passwords therefore there is no have a self-protection mechanism (D4.3) requirement to address password (e.g., password, key) to restrict complexity, duration or length in HMI user access; however, they do relation to Class A.2 CDAs so not support password requirements this control does not apply and is that are sufficient to address the not required. attack vectors associated with this security control. Therefore, by D-50

NEI 13-10 (Revision 7)

October 2021 Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Common Alternate Common Alternate Common Alternate Common Alternate Common Alternate Ctrl Control Class A.2 Basis Class A.3 Basis Class B.1 Basis Class B.2 Basis Class B.3 Basis using the method provided in Section 3.1.6 of the cyber security plan, the licensee has implemented security measures specified in control D4.2 to minimize the attack vectors associated with this control.

D4.4 Non- X Although Class A.2 CDAs have X All user interaction with the class X See Class A.3 Basis. X See Class A.3 Basis. X See Class A.3 Basis.

Authenticated integral HMIs that allow anyone A.3 CDA is via its access-Human Machine (authorized or unauthorized) to restricted, integral HMI (which Interaction manipulate operational parameters does require some form of (HMI) Security which could lead to an adverse authentication: password, fob, key, (D4.4) impact to SSEP functions, access etc.) and thus there are no to the CDA is controlled and unauthenticated user interactions.

managed by security measures Therefore, this control does not implemented to address D1.3 and apply.

D1.5.Thus no one can access the integral HMI unless the user is authorized and provided means to access the cabinet of the A.2 CDAs as described in D1.3 and D1.5. Therefore, the attack vector associated with this control does not exist and this control is not applicable D4.5 Device X X By definition, a Class A.2 CDA X X By definition, a Class A.3 CDA X X By definition, a Class B.1 CDA X X By definition, a Class B.2 CDA X X See Class B.2 Basis.

Identification and may (only) support connectivity to may (only) support connectivity to supports connectivity to and supports connectivity to and Authentication and communication with and interfacing with maintenance interfacing with both maintenance interfacing with both maintenance (D4.4) maintenance tools used to make tools used to make configuration tools used to make configuration tools used to make configuration configuration settings and changes. settings and changes. The settings and changes, and other settings and changes, and other Modifications to the CDAs configuration of the Class A.3 systems or devices via its systems or devices via its configuration can change how A.2 CDA can be altered via use of the asynchronous, serial asynchronous, serial CDAs function and could cause an maintenance tools. The communication channels. The communication channels.

adverse impact to SSEP functions. modifications to the CDAs licensee has verified, validated and Since the configuration of the The maintenance tool provides a configurations can change how documented that the CDA meets Class B.2 CDA can be altered via potential attack vector to Class A.2 A.3 CDAs function and could the B.1 criteria. Thus, the attack the use of maintenance tool the CDAs and thus this control must cause adverse impacts to their vectors associated with the attack vector does exist and the be addressed. The licensee can SSEP functions. Therefore, the asynchronous, serial control must be addressed.

address this security control by attack vector exists. This control communication channel for this Modifications to the CDAs implementing D1.19 and E4.2. must be addressed and this can be security control does not exist.

configuration could cause an accomplished by implementing But, because the configuration of adverse impact to the CDAs D1.19 and E4.2. the Class B.1 CDA can be altered SSEP functions. The licensee can via the use of maintenance tool the address this security control by attack vector does exist and the implementing D1.19 and E4.2.

control must be addressed.

The asynchronous serial channels Modifications to the CDAs allow for CDA information configuration could cause an extraction as well as for CDA adverse impact to the CDAs output control (and possibly plant SSEP functions. The licensee can equipment control) and to control address this security control by pre-defined CDA functionality.

implementing D1.19 and E4.2.

D-51

NEI 13-10 (Revision 7)

October 2021 Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Common Alternate Common Alternate Common Alternate Common Alternate Common Alternate Ctrl Control Class A.2 Basis Class A.3 Basis Class B.1 Basis Class B.2 Basis Class B.3 Basis Thus, the attack vectors associated with this control exist for the asynchronous, serial communication channel and must be addressed. Since the B.2 CDAs lack the capability to implement this control, by using the method provided in Section 3.1.6 of the CSP, the attack vectors associated with this asynchronous communication channel are addressed by the security measures implemented to address control D1.4.

D4.6 Identifier X By definition, a Class A.2 CDA X See Class A.2 Basis. X See Class A.2 Basis. X See Class A.2 Basis. X See Class A.2 Basis.

Management has no user identifiers and thus (D4.6) there is no automated way for the CDA to manage identifiers. Using the method provided in Section 3.1.6 of the cyber security plan, this security control is addressed by the security measures implemented to address D1.3 and D1.5 as alternate security measures that provide equal protection as this security control.

D4.7 Authenticator X By definition, a Class A.2 CDA X The Class A.3 CDA has an access- X See Class A.3 Basis. X See Class A.3 Basis. X See Class A.3 Basis.

Management has no authenticators and thus restricted integral HMI that (D4.7) there is no requirement to manage requires a user to have some form them in relation to a Class A.2 of authenticator (e.g. a password, CDA. Thus, the attack vector fob, key, etc.) so that only associated with this control does authorized personnel may utilize not exist and the control is not the HMI. Therefore, the attack required. vector associated with this control exists and the control must be addressed. Therefore, by using the method provided in Section 3.1.6 of the cyber security plan, the licensees implemented security measures provided in D1.2 and D1.3 to address this security control.

D4.8 Authenticator X A Class A.2 CDA by definition X X Class A.3 CDAs may restrict X X See Class A.3 Basis. X X See Class A.3 Basis. X X See Class A.3 Basis.

Feedback (D4.8) has a non-authenticated HMI. access to the HMI via password Since the CDA has no user protection. However, the CDA authentication mechanisms and may or may not obscure the entry does not contain any SRI or SGI of the authenticator (i.e.,

information, the attack vector password), therefore protection of associated with this control does the authenticator feedback is not exist and the control is not required to ensure that required. authentication credentials cannot D-52

NEI 13-10 (Revision 7)

October 2021 Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Common Alternate Common Alternate Common Alternate Common Alternate Common Alternate Ctrl Control Class A.2 Basis Class A.3 Basis Class B.1 Basis Class B.2 Basis Class B.3 Basis be observed during use. This control is addressed by plant procedure that requires personnel to obscure the CDA HMI while entering any password.

D4.9 Cryptographic X A Class A.2 CDA does not use X See Class A.2 Basis. X See Class A.2 Basis. X See Class A.2 Basis. X See Class A.2 Basis.

Module cryptography. Therefore, Authentication cryptographic (D4.9) functions/protections are not required and the attack vector associated with this control does not exist and the control is not required.

D5.1 Removal of X Licensee has verified that this X See Class A.2 Basis. X See Class A.2 Basis. X See Class A.2 Basis. X See Class A.2 Basis.

Unnecessary Class A.2 CDA by design does not Services and contain unnecessary or unused Programs (D5.1) applications, utilities, tools, or services that could be eliminated to reduce the available attack surface. Therefore, there is no need to remove unnecessary services or programs, and the attack vector associated with this control does not exist and the control is not required.

D5.2 Host Intrusion X Class A.2 CDAs have no X By definition, a Class A.3 CDA X A Class B.1 CDA is not isolated X See Class B.1 Basis. X A Class B.3 CDA has serial Detection System communication capabilities aside has no communication ports or and has serial asynchronous asynchronous communications (HIDS) (D5.2) from their configuration interfaces (or they have been communications with other with other systems or devices.

connection (or these capabilities physically disabled), other than the systems or devices. But because The serial asynchronous have been physically disabled) and special-purpose connection used these communications are communication ports for a class the program code of the A.2 CDA connect maintenance equipment functionally constrained per the B.3 CDA are functionally cannot be changed. Thus, the for configuration modification of B.1 criteria. Additionally, B.1 restricted but do permit the control attack vector associated with this the Class A.3 CDAs. CDA does not have an interface of CDA outputs, the control of control Additionally, A.3 CDA does not through which a user can gain pre-configured CDA functions and does not exist and the control is have an interface through which a access and program code (e.g., alteration of CDA configuration not required. user can gain access and program instruction-level code, settings (but not its program code.)

code (e.g., instruction-level code, configuration, settings) and Thus, the attack vector associated configuration, settings) and configuration of the CDAs with this control exists and this configuration of the CDAs cannot cannot be altered. The attack security control must be addressed.

be altered. The attack vectors vectors associated maintenance By using the method provided in associated maintenance tool tool (which is a portable media) Section 3.1.6 of the cyber security (which is a portable media) for for this security control is plan, this security control is this security control is addressed addressed by protection addressed by the security measures by protection provided on the provided on the tool. implemented to address D3.6 and tool. Thus, based on the above, attack applying this security control to Thus, based on the above, attack vectors associated with this the systems/devices that the CDA vectors associated with this security control do not exist and is communicating and the CDA security control do not exist and this security control is not inheriting the protection provided this security control is not required. by the systems/device.

required.

D-53

NEI 13-10 (Revision 7)

October 2021 Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Common Alternate Common Alternate Common Alternate Common Alternate Common Alternate Ctrl Control Class A.2 Basis Class A.3 Basis Class B.1 Basis Class B.2 Basis Class B.3 Basis D5.3 Changes to File X Licensee has verified that this X See Class A.2 Basis. X See Class A.2 Basis. X See Class A.2 Basis. X See Class A.2 Basis.

System and Class A.2 CDA does not have a Operating file system or user alterable System security settings. Therefore, the Permissions attack vector associated with this (D5.3) control does not exist and the control is not required.

D5.4 Hardware X Licensee has verified that this X See Class A.2 Basis. X See Class A.2 Basis. X X The licensee has verified that this X X See Class B.2 Basis.

Configuration Class A.2 CDA does not support B.2 CDA does not support (D5.4) extraneous, unnecessary hardware extraneous, unnecessary hardware and specifically does not and specifically does not incorporate ports, interfaces, or incorporate ports, interfaces, or peripheral devices that could be peripheral devices that could be used as attack vectors (or they used as attack vectors. This type of have been physically disabled). CDA has factory-installed This type of CDA has factory- program code that is non-alterable.

installed program code that is non-Note: If the CDA supports alterable. Thus, the attack vector multiple serial ports where some associated with this control does are not assigned for use, this not exist and the control is not security control could be required.

applicable. The licensees can address this security control by verifying and documenting that any such ports not being used are physically disabled.

D5.5 Installing X This type of CDA cannot be X See Class A.2 Basis. X See Class A.2 Basis. X See Class A.2 Basis. X See Class A.2 Basis.

Operating patched since its program code is Systems, factory-installed and cannot be Applications, and altered. Therefore, the attack Third-Party vector associated with this control Software does Updates (D5.5) not exist and the control is not required.

E1.3 Media X By definition, the Class A.2 CDA X By definition, the Class A.3 CDA X See Class A.3 Basis. X See Class A.3 Basis. X See Class A.3 Basis.

Labeling/Markin has no support for removable does not support any interfaces g (E1.3) media or peripherals for generating that accept portable media and output (other than analog, contact does not contain any type of SGI and pulse I/O signals) and thus the or SRI information, thus the attack attack vector associated with this vector associated with this control control does not exist and the only applies to the maintenance control is not required. tool.

E1.6 Media Sanitation X By definition, the Class A.2 CDA X By definition, the Class A.3 CDA X See Class A.3 Basis. X See Class A.3 Basis. X See Class A.3 Basis.

and Disposal does not support any interfaces or does not support any interfaces (E1.6) peripheral devices that accept that accept portable media and portable media and does not does not contain any type of SGI contain any type of SGI or SRI or SRI information, thus the attack information, thus the attack vector vector associated with this control associated with this control does does not exist and the control is not exist and the control is not not required.

required.

D-54

NEI 13-10 (Revision 7)

October 2021 Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Common Alternate Common Alternate Common Alternate Common Alternate Common Alternate Ctrl Control Class A.2 Basis Class A.3 Basis Class B.1 Basis Class B.2 Basis Class B.3 Basis E3.3 Malicious Code X By definition, the program code of X By definition, the Class A.3 CDA X See Class A.3 Basis. X See Class A.3 Basis. X By definition, the Class B.3 CDA Protection (E3.3) the Class A.2 CDA cannot be cannot be infected by malicious cannot be infected by malicious altered and thus the attack vector code as its firmware cannot be code as its firmware cannot be associated with this control does changed. But the functions of the changed. But the functions of the not exist and the control is not CDA can be altered by CDA can be altered by required. manipulation of configuration manipulation of configuration parameters which are accessible parameters which are accessible via the integral HMI and the via the integral HMI, the maintenance tool. The maintenance tool, and the maintenance tool thus provides an system/device to which the CDA attack vector and must be is communicating. Thus, the protected against malicious code. maintenance tool and the The malicious code protection system/device provide an attack mechanisms for the maintenance vector and must be protected tool are addressed per D1.19 and against malicious code. The E4 family of security controls. malicious code protection mechanisms for the maintenance tool are addressed per D1.19 and E4 family of security controls and for the system/devices are addressed by security measures implemented to address E3.8.

E3.4 Monitoring Tools X This control applies to the plant- X See Class A.2 Basis. X See Class A.2 Basis. X See Class A.2 Basis. X See Class A.2 Basis.

and Techniques wide security monitoring (E3.4) capability and multi-level security architecture and Class A.2 CDAs do not collect or provide any information of value to a plant-wide monitoring functionality.

Thus, this control is not applicable to Class A.2 CDAs and the control is not required.

E3.6 Security X X This security control is addressed X Because the Class A.3 CDA X See Class A.3 Basis. X See Class A.3 Basis. X See Class A.3 Basis.

Functionality by verifying and documenting that employs some form of HMI user Verification security measures implemented to access restriction the attack vector (E3.6) address D1.3 are periodically associated with this control exists evaluated in accordance with 10 and the control must be addressed.

CFR 73.55(m) to ensure that the The correct operation of integral implemented security measures are access protection mechanisms operating correctly and effectively (e.g., password, keylock, fob) of to prevent and detect unauthorized CDAs are verified and access. documented, periodically in accordance with 10 CFR 73.55(m),

upon startup and restart, upon command by a user with appropriate privilege, and when anomalies are discovered. If a locked and alarm cabinet or other security measures are used to address the required security controls, per plant procedure, the D-55

NEI 13-10 (Revision 7)

October 2021 Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Common Alternate Common Alternate Common Alternate Common Alternate Common Alternate Ctrl Control Class A.2 Basis Class A.3 Basis Class B.1 Basis Class B.2 Basis Class B.3 Basis correct operation of these security measures are verified and documented, periodically in accordance with 10 CFR 73.55(m).

E3.7 Software and X Although the program code of an X A Class A.3 CDA is a stand-alone X A Class B.1 CDA has limited X X See Class B.1 Basis. X X See Class B.2 Basis.

Information A.2 CDA cannot be altered these device that does not support communications capability, and its Additionally, relative to the Integrity (E3.7) CDAs have integral HMIs that communication with other devices, programming cannot be changed, asynchronous serial ports, the allow anyone (authorized or has no remote communications, including via its communications attack vector associated with this unauthorized) to manipulate and its programming cannot be functions. The primary attack control also exists and this security operational parameters which changed. The primary attack vectors associated with B.1 CDAs control must be addressed. Using could lead to an adverse impact to vectors associated with A.3 CDAs are unauthorized manipulation of the method provided in Section SSEP functions. The A.2 CDAs are unauthorized manipulation of operational parameters or 3.1.6 of the cyber security plan, configuration can be modified operational parameters or configuration via the HMI and this security control may be using special tools and this can configuration via the HMI and unauthorized manipulation of addressed by licensees protecting alter the CDAs functionality. unauthorized manipulation of configuration via a maintenance the system/device as CDAs and Therefore, the attack vector configuration via a maintenance tool and/or a special-purpose inheriting the protection provided associated with this control exists tool and/or a special-purpose connection. Class B.1 CDAs have by the system/device.

and the control must be addressed. connection. Class A.3 CDAs have self-protection mechanisms (e.g.,

Using the method provided in self-protection mechanisms (e.g., password, key) to restrict HMI Section 3.1.6 of the cyber security password, key) to restrict HMI user access; however, they do not plan, this security control is user access; however, they do not have the ability to validate addressed by the security measures have the ability to validate operational or configuration implemented to address D1.3 and operational or configuration changes. Unauthorized access to D1.5 as alternate security changes. Unauthorized access to the HMI could enable alteration of measures that provide equal the HMI could enable alteration of configuration settings that could protection as this security control configuration settings that could adversely impact SSEP functions.

to address attack vectors adversely impact SSEP functions. Therefore, this control must be associated with the integral HMI. Therefore, this control must be addressed. Using the method Additionally, the security addressed. Using the method provided in Section 3.1.6 of the measures implemented to address provided in Section 3.1.6 of the cyber security plan, this security D4.5 and E4.2 as alternate security cyber security plan, this security control is addressed by security measures that provide equal control is addressed by measures implemented to address protection as this security control implementing security measures to D1.2, D1.3, D2.2 and D2.3 to address attack vectors address D1.2, D1.3, D2.2 and D2.3 associated with modification of the A.2 CDAs configuration using maintenance tools.

E3.8 Information X Class A.2 CDAs have no interface X A Class A.3 CDA by definition X See Class A.3 Basis. X A Class B.2 CDA is designed to X See Class B.2 Basis.

Input through which a user can gain has an access-restricted integral receive input data from the integral Restrictions access and change program code HMI that provides access to HMI and the system/device to (E3.8) (e.g., instruction-level code, operational and configuration which the CDA is communicating.

configuration, or settings) or settings. Since the malicious However, the CDA does not have configuration of the CDA and does modification of those could have the capability to check or screen not log/record user activity via the an adverse impact on SSEP the input data accuracy, local/integral HMI. A.2 CDAs functions, the attack vectors completeness, validity, or only allow a modification of associated with the HMI exist and authenticity. Since the malicious operational parameters by anyone the control must be addressed. input data from the integral HMI who has access to its integral HMI. This control is addressed using and the system/device could Class A.2 device HMIs only alternative countermeasures as adversely impact SSEP functions, expose functionality to change provided in control E3.7. the attack vectors associated with operational set points, and do not the HMI exist and the control must D-56

NEI 13-10 (Revision 7)

October 2021 Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Common Alternate Common Alternate Common Alternate Common Alternate Common Alternate Ctrl Control Class A.2 Basis Class A.3 Basis Class B.1 Basis Class B.2 Basis Class B.3 Basis accept non-pre-programmed or be addressed. Therefore, by using non-pre-defined inputs that would the method provided in Section require input restrictions. 3.1.6 of the CSP, this security Therefore, attack vectors control is addressed by the associated with this security following:

controls do not exist and the For the integral HMI, this control is not required.

control is addressed by security measures implemented to address E3.7.

For the system/device, the licensees verified and documented that the CDA only recognized the factory predefined data (commands).

Additionally, licensees protect the system/device as CDAs and inherit the protection provided by the system/device and verify and document that all other ports are physical disabled, if CDA has other ports.

E3.9 Error Handling X A Class A.2 CDA by definition X See Class A.2 Basis. X See Class A.2 Basis. X See Class A.2 Basis. X See Class A.2 Basis.

(E3.9) does not contain SRI or SGI information of value to an adversary and does not produce error messages. Thus, the attack vector associated with this control does not exist and the control is not required.

E4.2 Maintenance X X A Class A.2 CDA by definition X X See Class A.2 Basis. X X See Class A.2 Basis. X X See Class A.2 Basis. X X See Class A.2 Basis.

Tools (E4.2) may allow changes to its configuration using a maintenance tool or via a special-purpose interface and only by taking the Class A.2 CDA out of service (which can only be done locally, at the CDA). These CDAs generally have no integral technical ability to verify the accuracy or validity of configuration setting changes made with those tools. The modifications to the CDAs configurations can change how A.2 CDAs function and could cause adverse impact to the SSEP systems or equipment or functions and therefore the attack vector associated with this control exists and the control must be addressed.

D-57

NEI 13-10 (Revision 7)

October 2021 Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Common Alternate Common Alternate Common Alternate Common Alternate Common Alternate Ctrl Control Class A.2 Basis Class A.3 Basis Class B.1 Basis Class B.2 Basis Class B.3 Basis The licensee can address this security control by accomplishing the following:

Ensuring the maintenance tool is not connected to another device or network (including wireless networks) when connected to the CDA.

Portable media connected to the maintenance tool while the maintenance tool is connected to the CDA are controlled in accordance with D1.19.

Approving, monitoring, and documenting the use of maintenance tools used to maintain CDAs.

Controlling maintenance tools associated with CDAs to prevent improper modifications. Maintenance tools include, for example, diagnostic and test equipment and mobile devices such as laptops.

Checking and documenting media and mobile devices, such as laptops, containing diagnostic, system, and test programs/software for malicious code before the media or mobile device is used in/on CDAs.

Controlling the removal of maintenance equipment by one of the following:

o Retaining the equipment within the licensee control so that unauthorized access to the maintenance equipment or systems is prevented.

o Obtaining approval from an authority authorizing removal of the equipment from the licensee control.

o Verifying that there is no licensee security related or SGI information contained on the D-58

NEI 13-10 (Revision 7)

October 2021 Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Apply to CDA Not Applicable Common Alternate Common Alternate Common Alternate Common Alternate Common Alternate Ctrl Control Class A.2 Basis Class A.3 Basis Class B.1 Basis Class B.2 Basis Class B.3 Basis equipment and validating the integrity of the device before reintroduction into the licensee control. If unable to verify/validate the integrity of the device, then sanitize or destroy the equipment.

Employing automated or manual mechanisms to restrict the use of maintenance tools to authorized personnel; employs manual mechanisms where CDAs or support equipment (e.g., laptops) cannot support automated mechanisms.

D-59

NEI 13-10 (Revision 7)

October 2021

[BLANK PAGE]

D-60

NEI 13-10 (Revision 7)

October 2021 Appendix E. NEI 13-10 FREQUENTLY ASKED QUESTIONS Question 1: Does the expression Safety functions in Section 4 include important-to-safety? Answer: Section 4 was revised in NEI 10-04, revision 3, to clarify Safety-Related and Important-to-Safety and how they pertain to the expression Safety-functions.

Question 2: How does augmented quality apply to NEI 13-10?

Augmented quality CDAs such as Fire Protection, ATWS, Environmental Quality program, and SBO perform Important-to-Safety functions but must be screened through these criteria to be classified as Indirect. Section 4 was revised in NEI 10-04, revision 3, to clarify Safety-Related and Important-to-Safety and how they pertain to the expression Safety-functions.

Question 3: Can a sites accident analysis be used to inform the screening in Section 3.2 Answer: Yes. However, since the sites accident analyses are based on CDA failure, it may not cover conditions or events that would be caused by the cyber compromise of the CDAs. The events caused by a cyber compromise go beyond simple failure and may include full or partial loss of control of the CDA, malfunctioning of the CDA, generation of false/misleading data by the CDA, suppression of valid alarm indications or generation of false alarm indications by the CDA and even autonomous operation of associated plant equipment by the CDA. One way to cover the conditions resulting from the cyber compromise of a system/CDA is by performing an analysis to demonstrate how the consequences resulting from a cyber compromise of the BOP system or CDA are:

Bounded by the current accident or other analysis;

Mitigated by the plant operators by applying their training and operating experiences to ensure that the abnormal plant conditions caused by cyber compromised of BOP are within the Safety boundary; and,

Ensure that the Safety instruments that perform safety functions are isolated from the BOP CDAs so that the cyber compromise of the BOP CDAs would not adversely impact the Safety CDAs or systems from performing their functions.

Based on the above, a cyber compromise of the BOP CDAs does not lead to adverse impact to the Safety CDAs or systems. Therefore, time required to detect and mitigate the cyber compromise of BOP CDAs before adverse impact to Safety CDAs or systems need not be determined.

Question 4: Can wireless technologies be used with non-direct CDAs?

Answer: In general, the answer is no because to implement the baseline protections provided in Section 5 of NEI 13-10 to streamline the protection of Indirect CDAs, the Indirect CDA must meet the baseline criteria including the following:

The Indirect CDA and any interconnected assets do not have wireless internetworking E-1

NEI 13-10 (Revision 7)

October 2021 communications technologies

The Indirect CDA and any interconnected assets must be air gapped or protected by a deterministic isolation device The CSP section 3.1.6 process allows licensees to propose alternative countermeasures to any technical controls provided in the CSPs. However, because the above two criteria have been determined to eliminate the threat and attack vectors associated with wired and wireless communications, many of the technical security controls specified in CSP are addressed by the above criteria. Therefore, for a CDA to be classified as an indirect or BOP CDA, the CDA must comply with these two criteria.

However, an exception can be made for certain radio-based communication devices, which may be considered non-direct CDAs, if the following conditions are met:

These devices support certain security functions,

Licensees already have accounted for potential compromise of the CDAs,

These devices are isolated from other networks and other systems or equipment, and

The consequences of their cyber compromise can be detected and independent alternate means are available to perform that communication function.

Therefore, the licensee may evaluate these devices based on, but not limited to, their functions, capabilities, connections, and configurations to identify them as indirect CDAs.

Question 5: [DELETED]

Question 6: Is additional criteria required for screening complex CDAs or to limit certain CDAs from being classified as Indirect?

No. Classification of a CDA as Indirect is based on satisfying the criteria and is not dependent on the complexity of the CDA.

The ability to detect cyber compromise prior to adverse impact to Safety, Security, or EP functions may be easier to implement and document for simple CDAs vs Complex CDAs.

Because simple CDAs may have limited and defined functional capabilities, the simple CDAs may have a small attack surface and limited potential consequences. Therefore, the indirect CDA determination of a simple CDA can be justified and documented by showing that various existing plant procedures and engineering and reliability measures, which the licensees have already implemented to address abnormal behavior of the controller, provide adequate detection and remediation prior to any adverse impact to Direct CDAs, or Safety or Security functions.

The objective of Indirect assessment is to address cyber security requirements by ensuring that there is no adverse impact to Direct CDAs, or Safety or Security functions due to cyber compromise. This method focuses on securing the associated function/s through detection and mitigation. In effect this method must assume the CDA is compromised and must then provide documented assurance that the compromise cannot adversely impact the associated Direct CDAs, E-2

NEI 13-10 (Revision 7)

October 2021 or function/s. Direct assessment provides a fundamentally different approach to protecting the same functions by implementing controls focused on preventing a compromise of the CDA.

Indirect assessment is not dependent on the complexity of the CDA. It is only dependent on the ability to detect and mitigate adverse impact to Direct CDAs, or the function. A complex CDA may have a relatively easy method of detecting and mitigating adverse impact. For example, if the only function of the Plant Computer may be to provide an indication of thermal power to ensure the plant is operating within Tech Spec limits. A compromise can be detected and mitigated by alternate indication that is readily available through alternate detectors and because adverse impact can only occur indirectly through manual Operator action. In this case, indirect assessment of the Plant Computer provides a relatively easy and reliable method of preventing adverse impact to the function through detection and mitigation.

A complex CDA that has a large number of functional capabilities that are incorporated into the CDA by means of its software and may support a number of interfaces and peripheral devices may have many potential consequences due to cyber compromise. The indirect CDA determination may not reduce the effort compared to addressing each the security controls required of a Direct CDA. CDAs may be associated with multiple SSEP functions. The indirect assessment must address detection and mitigation prior to adverse impact of all SSEP functions.

For non-complex CDAs, that have multiple SSEP functions, it may be easier to identify the CDA as Direct.

Question 7: What are acceptable methods of detecting and mitigating cyber compromise to satisfy Section 3?

Examples of potential detection and mitigation prior to impact include:

Detection prior to use. An example of detection prior to use may be Operations verifying alternate indications prior to taking a manual action. This method eliminates the need to continuously monitor for compromise if a quality check is done prior taking actions that would adversely impact the SSEP function.

Tech Spec and TRM surveillance may provide acceptable detection and frequencies for associated CDA functions. This is acceptable for some of the most important CDAs and may be a method that could also be implemented for other CDAs if supported by justification that the detection frequency will provide sufficient time to mitigate adverse impact to the SSEP function.

The time to detect may be infinite if it can be shown that there is never an adverse impact. Some CDAs may be associated with an SSEP function or may impact an SSEP function, but may not be capable of adversely impacting the SSEP function. In this case the answer should explain why there is no adverse impact and therefore an infinite time to detect. Generally, N/A should not be used, but if it is used then it must be supported by an explanation as to why it is N/A.

IDS may be an acceptable method of detection, but justification is required to show how this would permit mitigation prior to impact.

E-3

NEI 13-10 (Revision 7)

October 2021 Question 8: Can CDAs associated with Security functions be classified as Indirect?

Yes. An example is a Security System HVAC unit. In this example the HVAC unit is a support system to the Security Computer. If this CDA is compromised it can result in overheating condition and subsequent failure of the Security Computer thereby adversely impacting the security functions of the Security Computer. The example documents that the temperature increase in the room can be detected and methods of mitigating this condition can be implemented before the functions of the security computer are adversely impacted. This meets all of the Indirect screening criteria in Section 3.

E-4

NEI 13-10 (Revision 7)

October 2021 Appendix F. GUIDANCE FOR APPLICATION OF NEI 08-09 APPENDIX E CONTROLS TO INDIRECT, EP, AND BOP SCRAM/TRIP CDAS This Appendix provides a consistent method for addressing NEI 08-09, Appendix E, cyber security controls for Indirect, EP, and BOP/Scram-Trip (at Medium or High facilities) CDAs and provide a specific accounting of each control to demonstrate compliance with Section 3.1.6 of the cyber security plan (CSP). See Section 3.2 for Appendix E controls required for BOP CDAs (low impact facilities).

Note: EP digital assets that did not screen out through the NEI 10-04 characterization process and do not meet the Indirect criteria in NEI 13-10, Section 5, should be classified as Direct CDAs and the cyber security controls should be addressed accordingly.

This Appendix addresses the NEI 08-09, Appendix E, cyber security controls for CDAs not identified as direct by using alternative security controls that achieve the same objectives and purpose as the controls specified in Appendix E of the CSP by confirming that alternative security measures mitigate the threat/attack vector the control is intended to protect. In accordance with Section 3.1.6, the following are used as alternative security controls to address the Appendix E controls:

The analysis which demonstrates the CDA is not direct,

The implementation of the baseline cyber security protection criteria provided in Section 5, and

Addressing the Appendix E controls using the table below.

1. TABLE DESCRIPTION Each Appendix E control is assigned to one of the following three categories. The table describes how the control is addressed in accordance with Section 3.1.6 of the licensees CSP.

Technical - Security controls in NEI 08-09, Appendix E, that are recognized as Technical and are not Operational & Management (O&M) in NEI 13-10.

These controls are already addressed by the applicable baseline controls cyber security protection criteria provided in Section 5. No additional implementation is required for individual CDAs, unless the technical control is relied upon to accomplish the detection criteria for indirect CDAs.

This is based on the general description in NEI 13-10, Section 3, that recognizes that selected controls from NEI 08-09, Appendix E, are technical and those security controls are addressed by taking credit for implementing measures to detect and mitigate the cyber compromise prior to adverse impact to direct CDAs or Safety-Related, Security, or EP functions and implementing the specific controls in Section 5 of NEI 13-10. These controls are specifically identified in NEI F-1

NEI 13-10 (Revision 7)

October 2021 13-10 Appendix D, Table A.3 and include E.1.3, E.1.6, E.3.3, E.3.4, E.3.6, E.3.7, E.3.8, E.3.9, and E.4.2 Addressed - These cyber security controls are already specifically addressed by existing controls identified within NEI 13-10. For example, E.5 Physical and Operational Environment Protection is already addressed in Section 5 of NEI 13-10 by criteria (a).

Controls that are already addressed will be implemented according to NEI 13-10 guidance.

Where applicable guidance is established in NEI 13-10, this will be implemented for consistency and to eliminate duplicate or conflicting requirements.

Addressed Programmatically - NEI 08-09, Appendix E, controls that do not fall into either of the above categories.

This category addresses the Appendix E controls for the non-direct CDA by using the programmatic approaches. Where possible, these Appendix E security controls are addressed by the existing plant programs to fulfill the control objectives.

2. USE OF THE TABLE The table below describes how licensees have addressed the NEI 08-09, Appendix E, controls for non-direct CDAs. Licensees must modify the table to provide specific procedure/documentation references where required. The modified table may then be used in conjunction with documentation specified in Section 3 of NEI 13-10 to document non-direct CDA compliance to the NEI 08-09 Appendix D and E controls.

F-2

NEI 13-10 (Revision 7)

October 2021 Addressed Programm Control Control Title Technical Addressed Basis atically E.1.1 Media Protection Policy and X For SGI and SRI information, the licensees information Procedures (SGI, Non-SGI protection is addressed by [Insert site specific procedure and 2.390) reference] which address the 10CFR73.21 and 10CFR2.390 program.

E.1.2 Media Access X Same as E.1.1 E.1.3 Media Labeling/Marking X X Same as E.1.1 E.1.4 Media Storage X Same as E.1.1 E.1.5 Media Transport X Same as E.1.1 E.1.6 Media Sanitation and Disposal X X Same as E.1.1 E.2.1 Personnel Security Policy and X This control is addressed by complying with the requirements Procedures of 10CFR73.56. [Insert site specific procedure reference.]

E.2.2 Personnel Termination/Transfer X This control is addressed by complying with the requirements of 10CFR73.56 along with the work controls and Human Resources personnel termination/transfer procedures. [Insert site specific procedure reference.]

Additionally, per the licensees cyber security policy and the termination/transfer procedures, the site ensures that logical access to CDAs is revoked for individuals who no longer require access to the CDAs.

E.3.1 System and Information Integrity X The licensees system and information integrity is addressed Policy and Procedures by [Insert site specific procedure reference.]

E.3.2 Flaw Remediation X This control is addressed by the plant wide flaw remediation procedure. [Insert site specific procedure reference.] Note:

This may be a combination of procedures.

F-3

NEI 13-10 (Revision 7)

October 2021 Addressed Programm Control Control Title Technical Addressed Basis atically E.3.3 Malicious Code Protection X Technical Control - addressed by NEI 13-10 Section 5 This security control is addressed by alternative cyber security controls as described in Section 3.1.6 of licensees cyber security plans by the following:

Taking credit for implementing measures to detect and mitigate the cyber compromise prior to adverse impact to direct CDAs or Safety, Security, or EP functions.

Implementing the baseline controls cyber security protection criteria specified in Section 5 that are deemed to be adequate and this control is not required unless malicious code protection mechanisms are relied on for detection of a cyber compromise of the CDA.

E.3.4 Monitoring Tools and Techniques X Same as E.3.3 E.3.5 Security Alerts and Advisories X This control is addressed by the site vulnerability management procedure, [insert site specific procedure reference] that monitors credible sources for vulnerability/threat updates and implements corrective actions or mitigating measures in a reasonable timeframe once new applicable vulnerabilities/threats have been identified.

E.3.6 Security Functionality X Same as E.3.3 Verification E.3.7 Software and Information X Same as E.3.3 Integrity E.3.8 Information Input Restrictions X Same as E.3.3 E.3.9 Error Handling X Same as E.3.3 E.3.10 Information Output Handling and X Same as E.1.1 Retention E.3.11 Anticipated Failure Response X(f) Addressed by NEI Section 5(f).

F-4

NEI 13-10 (Revision 7)

October 2021 Addressed Programm Control Control Title Technical Addressed Basis atically E.4.1 System Maintenance Policy and X This requirement is addressed by plant-wide maintenance Procedures policies and procedures. [Insert references to site maintenance procedures, IT procedures, Interface agreements etc.]

E.4.2 Maintenance Tools X X(d) Technical Control - addressed by NEI 13-10 Section 5 (d)

E.4.3 Personnel Performing X This control is addressed by complying with the requirements Maintenance and Testing of 10CFR73.56, the training qualification program, the work Activities control program, and the IT maintenance procedures. [Insert site specific procedure reference.]

E.5.1 Physical and Operational X(a) The security control is addressed by implementing the Environment Protection Policies baseline controls cyber security protection criteria as and Procedures specified in NEI 13-10 Section 5 (a).

E.5.2 Third Party/Escorted Access X(a) The security control is addressed by implementing the baseline controls cyber security protection criteria as specified in NEI 13-10 Section 5 (a).

E.5.3 Physical & Environmental X(a) The security control is addressed by implementing the Protection baseline controls cyber security protection criteria as specified in NEI 13-10 Section 5 (a).

E.5.4 Physical Access Authorizations X(a) The security control is addressed by implementing the baseline controls cyber security protection criteria as specified in NEI 13-10 Section 5 (a).

E.5.5 Physical Access Control X(a) The security control is addressed by implementing the baseline controls cyber security protection criteria as specified in NEI 13-10 Section 5 (a).

E.5.6 Access control for Transmission X(a) The security control is addressed by implementing the Medium baseline controls cyber security protection criteria as specified in NEI 13-10 Section 5 (a).

E.5.7 Access Control for Display X(a) The security control is addressed by implementing the Medium baseline security control as specified in NEI 13-10 Section 5 (a).

F-5

NEI 13-10 (Revision 7)

October 2021 Addressed Programm Control Control Title Technical Addressed Basis atically E.5.8 Monitoring Physical Access X(a) The security control is addressed by implementing the baseline controls cyber security protection criteria as specified in NEI 13-10 Section 5 (a) and by taking credit for the existing physical security program and access controls.

E.5.9 Visitor Control Access Records X(a) The security control is addressed by implementing the baseline controls cyber security protection criteria as specified in NEI 13-10 Section 5 (a) and by taking credit for the existing physical security program and access controls.

E.6 Defense-In-Depth X(c) The security control is addressed by implementing the baseline controls cyber security protection criteria as specified in NEI 13-10 Section 5 (c).

E.7.1 Incident Response Policy and X This control is addressed by the site maintenance, corrective Procedures action program, configuration management (that are updated to address cyber security) and incident response procedures,

[Insert site specific procedure reference.] These generic procedures apply to CDAs generally. No additional policy requirements for non-direct CDAs.

E.7.2 Incident Response Training X Incident response training applies to CDAs in general. [Insert site specific procedure reference.] Additional training may be needed to deal with the wide range of technically and functionally-diverse non-direct CDAs.

E.7.3 Incident Response Testing and X Incident response testing and drills that apply to CDAs in Drills general. [Insert site specific procedure reference.] Additional testing and drills may be needed to deal with the wide range of technically and functionally-diverse non-direct CDAs.

E.7.4 Incident Handling X Incident handling protocols apply to CDAs in general. [Insert site specific procedure reference.] Additional incident handling protocols may be developed to deal with the wide range of technically and functionally-diverse non-direct CDAs.

F-6

NEI 13-10 (Revision 7)

October 2021 Addressed Programm Control Control Title Technical Addressed Basis atically E.7.5 Incident Monitoring X Incident monitoring applies to CDAs in general. [Insert site specific procedure reference.] No additional incident monitoring is required for non-direct CDAs.

E.7.6 Incident Response Assistance X Incident response assistance applies to CDAs in general.

[Insert site specific procedure reference.] No additional incident response assistance is required for non-direct CDAs.

E.8.1 Contingency Plan X Plant operating procedures provide contingencies for abnormal conditions. Maintenance procedures provide capabilities to recover the function of failed equipment.

Contingency plans are developed in accordance with the CDAs function and/or capability when operating and maintenance procedures do not recover the function within the required timeframe to preserve the Safety, Security, or EP function. [Insert site specific contingency procedure reference.] No additional implementation is required for non-direct CDAs.

E.8.2 Contingency Plan Testing X Contingency plan testing is performed in accordance with the contingency procedure. No additional testing is required for non-direct CDAs.

E.8.3 Contingency Training X Contingency plan training is performed in accordance with the contingency procedure. No additional training is required for non-direct CDAs.

E.8.4 Alternate Storage Site/Location X Alternate storage locations are established in accordance with for Backups the contingency procedure. No additional requirements for non-direct CDAs.

E.8.5 CDA Backups X CDA backups are established in accordance with the contingency plan established in E.8.1. No additional requirement for non-direct CDAs.

F-7

NEI 13-10 (Revision 7)

October 2021 Addressed Programm Control Control Title Technical Addressed Basis atically E.8.6 Recovery and Reconstitution X Normal site maintenance, repair and recovery processes, which includes root-cause analysis when necessary, are sufficient (including necessary technical detail as appropriate) for the recovery of non-direct CDAs.

E.9.1 Cyber Security Awareness and X This control is addressed by the plant wide cyber security Training awareness and training. [Insert site specific procedure reference.] No additional training is required for indirect CDAs.

E.9.2 Awareness Training X This control is addressed by the plant wide cyber security awareness and training. [Insert site specific procedure reference.] No additional training is required for indirect CDAs.

E.9.3 Technical Training X This control is addressed by the plant wide cyber security technical training. [Insert site specific procedure reference.]

When technical cyber controls are credited for the detection of a compromise, technical training must include specific material on the use of those capabilities for detecting the cyber compromises of non-direct CDAs. Additionally, for EP indirect CDAs, the facility personnel are trained to use the alternate methods for accomplishing the functions performed by the EP indirect CDAs.

E.9.4 Specialized Cyber Security X This control is addressed by the plant wide cyber security Training specialized cyber-security training. [Insert site specific procedure reference.] No additional training is required for indirect CDAs.

E.9.5 Situation Awareness X This control is addressed by the plant wide policies and procedures for situational awareness. [Insert site specific procedure reference.] No additional situational awareness is required for non-direct CDAs.

F-8

NEI 13-10 (Revision 7)

October 2021 Addressed Programm Control Control Title Technical Addressed Basis atically E.9.6 Feedback X This control is addressed by the plant wide policies and procedures for cyber security feedback. [Insert site specific procedure reference.] No additional feedback required for non-direct CDAs.

E.9.7 Security Training Records X This control is addressed by the plant wide policies and procedures for security training record keeping. [Insert site specific procedure reference.] No additional training records are required for non-direct CDAs.

E.9.8 Contacts With Security Groups X This control is addressed by the plant wide policies and and Associations procedures for incident response. [Insert site specific procedure reference.] No additional requirements for non-direct CDAs.

E.10.1 Configuration Management X(e) Addressed by NEI 13-10 Section 5(e).

E.10.2 Configuration Management Policy X(e) Same as E.10.1.

and Procedures E.10.3 Baseline Configuration X A baseline configuration is documented by entering the specific hardware, firmware/software (including patches and updates) and configuration setting information for the non-direct CDA into a site configuration management program and associated systems.

E.10.4 Configuration Change Control X(e) Same as E.10.1.

E.10.5 Security Impact Analysis X(e) Same as E.10.1.

E.10.6 Access Restrictions for Change X This security control is addressed by alternative security control as described in Section 3.1.6 of licensees cyber security plan by the following:

Taking credit for implementing measures to detect and mitigate the cyber compromise prior to adverse impact to direct CDAs or Safety, Security, or EP functions.

Taking credit for implementing NEI 13-10 Section 5(a), 5(b), and 5(c). The corrective action program F-9

NEI 13-10 (Revision 7)

October 2021 Addressed Programm Control Control Title Technical Addressed Basis atically addresses discovered deviations. Detection of unauthorized changes is accomplished in accordance with E.3.4.

Conducting post maintenance testing to validate that changes are correctly implemented.

E.10.7 Configuration Settings X This security control is addressed by alternative security control as described in Section 3.1.6 of licensees cyber security plans by the following:

Taking credit for implementing measures to detect and mitigate the cyber compromise prior to adverse impact to direct CDAs or Safety, Security or EP functions,

Taking credit for implementing Sections 3.1.3 and 3.1.5 and E10.3 of the CSP.

Conducting post maintenance testing to validate that changes are implemented correctly.

E.10.8 Least Functionality X This security control is addressed by alternative security control as described in Section 3.1.6 of licensees cyber security plans by the following:

Taking credit for implementing measures to detect and mitigate the cyber compromise prior to adverse impact to direct CDAs or Safety, Security, or EP functions.

Taking credit for implementing Sections 3.1.3 and 3.1.5 of the CSP.

E.10.9 Component Inventory X This security control is addressed by alternative security control as described in Section 3.1.6 of licensees cyber security plans by the following:

Taking credit for implementing measures to detect and mitigate the cyber compromise prior to adverse impact to direct CDAs or Safety, Security, or EP functions.

Taking credit for implementing NEI 13-10 Section F-10

NEI 13-10 (Revision 7)

October 2021 Addressed Programm Control Control Title Technical Addressed Basis atically 5(e) and CSP Sections 3.1.3, 3.1.5 and E.10.3 as specified above.

E.11.1 System and Services Acquisition X This security control is addressed by alternative security Policy and Procedures control as described in Section 3.1.6 of licensees cyber security plans by:

Taking credit for implementing measures to detect and mitigate the cyber compromise prior to adverse impact to direct CDAs or Safety, Security, or EP functions and by implementing standard nuclear purchasing processes.

E.11.2 Supply Chain Protection X Same as E.11.1.

E.11.3 Trustworthiness X Same as E.11.1.

E.11.4 Integration of Security X This security control is addressed by alternative security Capabilities control as described in Section 3.1.6 of licensees cyber security plans by:

Taking credit for implementing measures to detect and mitigate the cyber compromise prior to adverse impact to direct CDAs or Safety, Security, or EP functions

Implementing the threat and vulnerability management program in accordance with NEI 08-09 Appendix E.3.2 and E.3.5. [Insert site specific procedure reference.] No additional requirements for non-direct CDAs.

E.11.5 Developer Security Testing X This control is addressed by taking credit for implementing measures to detect and mitigate the cyber compromise prior to adverse impact to direct CDAs or Safety, Security, or EP functions and by implementing standard nuclear purchasing processes [insert site specific procedure reference] that address:

F-11

NEI 13-10 (Revision 7)

October 2021 Addressed Programm Control Control Title Technical Addressed Basis atically

Internal pre-operational testing,

Malicious code scanning when possible, and

Calibration / configuration program.

E.11.6 Licensee Testing X Same as E.11.5.

E.12 Evaluate And Manage Cyber Risk X (e,g) This security control is addressed by alternative security control as described in Section 3.1.6 of licensees cyber security plans. As an alternate, this control is addressed by NEI 13-10 Section 5 (e) and (g) and plant-wide program to address the threat and vulnerability notifications received from credible sources are screened, evaluated, mitigated and dispositioned in accordance with the CSP.

F-12

NEI 13-10 (Revision 7)

October 2021

[BLANK PAGE]

F-13

ML21342A203

Contents

Text

Subject:

Dear Ms. Atack:

SUMMARY

SUMMARY

Response

Description:

Navigation menu

ML21342A203

Text

Subject:

Dear Ms. Atack:

SUMMARY

SUMMARY

Response

Description:

Navigation menu

Search