ML22013B263
| ML22013B263 | |
| Person / Time | |
|---|---|
| Issue date: | 11/30/2021 |
| From: | Advisory Committee on Reactor Safeguards |
| To: | |
| Burkhart, L, ACRS | |
| References | |
| NRC-1775 | |
| Download: ML22013B263 (129) | |
Text
Official Transcript of Proceedings NUCLEAR REGULATORY COMMISSION
Title:
Advisory Committee on Reactor Safeguards Docket Number:
(n/a)
Location:
teleconference Date:
Tuesday, November 30, 2021 Work Order No.:
NRC-1775 Pages 1-106 NEAL R. GROSS AND CO., INC.
Court Reporters and Transcribers 1716 14th Street, N.W., Suite 200 Washington, D.C. 20009 (202) 234-4433
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 1
1 2
3 DISCLAIMER 4
5 6
UNITED STATES NUCLEAR REGULATORY COMMISSIONS 7
ADVISORY COMMITTEE ON REACTOR SAFEGUARDS 8
9 10 The contents of this transcript of the 11 proceeding of the United States Nuclear Regulatory 12 Commission Advisory Committee on Reactor Safeguards, 13 as reported herein, is a record of the discussions 14 recorded at the meeting.
15 16 This transcript has not been reviewed, 17 corrected, and edited, and it may contain 18 inaccuracies.
19 20 21 22 23
1 UNITED STATES OF AMERICA 1
NUCLEAR REGULATORY COMMISSION 2
+ + + + +
3 691ST MEETING 4
ADVISORY COMMITTEE ON REACTOR SAFEGUARDS 5
(ACRS) 6
+ + + + +
7 TUESDAY 8
NOVEMBER 30, 2021 9
+ + + + +
10 The Advisory Committee met at the Nuclear 11 Regulatory Commission, Two White Flint North, Room 12 T2B1, 11545 Rockville Pike, at 8:30 a.m., Matthew W.
13 Sunseri, Chairman, presiding.
14 15 COMMITTEE MEMBERS:
16 MATTHEW W. SUNSERI, Chairman 17 JOY L. REMPE, Vice Chairman 18 RONALD G. BALLINGER, Member 19 VICKI M. BIER, Member 20 DENNIS BLEY, Member 21 CHARLES H. BROWN, JR., Member 22 GREGORY H. HALNON, Member 23 VESNA B. DIMITRIJEVIC, Member*
24 DAVID PETTI, Member 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
2 ACRS CONSULTANT:
1 STEPHEN SCHULTZ 2
3 DESIGNATED FEDERAL OFFICIAL:
4 WEIDONG WANG 5
- Present via teleconference 7
8 9
10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
3 P R O C E E D I N G S 1
1:00 p.m.
2 CHAIRMAN SUNSERI: Okay. It is 1:00 3
o'clock. We will reconvene the ACRS meeting for 4
today. Our next topic on the agenda is Draft Guide 5
5061, Revision 1, cyber security programs for nuclear 6
power reactors. At this point, I will turn it over to 7
Member Brown for any comments before getting into 8
presentations.
9 MEMBER BROWN: Okay. We have Jim 10 Beardsley and Jeanne Johnston here with us in person 11 to help answer questions. Kim, I'm going to get this 12 right, Lawson --
13 MR. BEARDSLEY: Jenkins.
14 MEMBER BROWN: -- Jenkins. I'm sorry.
15 Are you on?
16 MS. LAWSON-JENKINS: Yes, I am. I am on 17 the call. Thank you.
18 MEMBER BROWN: I apologize for that. I'm 19 going to let them make some introductory remarks. You 20 may remember we have one subcommittee that all the 21 people present here for this presentation are the same 22 ones. So we'll have some continuity.
23 And I think everybody but Walt, you 24 weren't at our October meeting, were you? Okay. So 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
4 most of the slides, we asked them to pay attention to 1
the important slides, not just the little ones. And 2
so we cut the slide deck, I think, from 43 or 44 or 3
49, whatever it was, down to, what, 20?
4 MR. BEARDSLEY: Twenty-eight.
5 MEMBER BROWN: Twenty-eight. So we ought 6
to be able to fit in okay.
7 MEMBER BROWN: And Jim and Jeanne, I will 8
open it up to you for you to all to make opening 9
comments.
10 MR. BEARDSLEY: Thank you very much. And 11 thank you for the opportunity to brief the full 12 committee on our updates to Regulatory Guide 5.71 or 13 Draft Guide 5065 --
14 MEMBER BROWN: 5061, Rev. 1.
15 MR. BEARDSLEY: -- Rev. 1. The staff 16 recognizes that there have been concerns raised 17 relative to the safety and security regulation and the 18 coordination thereof. The staff does not believe that 19 there is a gap in this area. And we've invited a 20 colleague, Jeanne, from NRR, Division of Engineering, 21 to join us today and help describe how our two 22 organizations work together to ensure the safety and 23 security objectives are met.
24 In July 2021, the staff provided the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
5 digital INC subcommittee and update brief on the 1
entire cyber security oversight program. In October, 2
we followed that brief with a detailed brief on 3
Revision 1, Regulatory Guide 5.71. And a shorter 4
version of that presentation will be used today.
5 Excuse me.
6 Since 2012, the operating nuclear power 7
reactor licensees have implemented their full cyber 8
security programs. The NRC has implemented an 9
oversight program of the licensees' cyber security 10 implementation. Each cyber security program has been 11 inspected at least two times since 2013 and found to 12 be effective.
13 Revision 1, Regulatory Guide 5.71 does not 14 change the staff's position on the cyber security 15 program implementation for nuclear power plants. The 16 revision includes guidance clarification based on 17 lessons learned from program implementation and our 18 oversight inspections, reference to updated 19 international and NIST standards -- National Institute 20 of Standards standards. And it reflects one new NRC 21 regulations, 10 Code of Federal Regulations 73.77, 22 cyber security event notification rule, which was 23 implemented following the initial publishing of 24 Regulatory Guide 5.71.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
6 Following the Executive Director of 1
Operations direction to staff based on concerns raised 2
by the ACRS' March 2021 letter, cyber security staff 3
incorporated one change into Regulatory Guide 5.71 4
into one of the technical security controls. And Ms.
5 Lawson-Jenkins will address that change in her 6
presentation. As part of our coordination efforts, 7
the ancillary staff are excuse me, are 8
participating in pre-application discussions for 9
digital INC upgrades and pre-application discussions 10 with new licensees and also the ancillary staff, 11 support vendor and regional oversight inspections, or 12 digital INC upgrades, factory acceptance testing, and 13 site acceptance testing. At this point, I'll turn it 14 over to Jeanne to speak to NRR's perspective.
15 MEMBER HALNON: One quick question.
16 MR. BEARDSLEY: Oh, yes.
17 MEMBER HALNON: You mentioned that the 18 programs are found to be effective.
19 MR. BEARDSLEY: Yes.
20 MEMBER HALNON: When you say effective, 21 did you mean that you were able to inspect whether the 22 cyber program actually repelled an attack or something 23 to that effect? Or is it just in compliance?
24 MR. BEARDSLEY: So the cyber security plan 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
7 is a license condition for each licensee. So it's 1
part of their license requirement. And what we've 2
done is it's primarily compliance because we have not 3
had -- we don't have a method to test -- actually test 4
them.
5 But as part of the instructions, we do 6
look at the configurations they've used or the 7
hardware they use for protection. We've gone very 8
deep into those inspections. Between the two 9
inspections, there was over four weeks of actual 10 inspection activity, and so that's a lot of effort we 11 put in to verify that they understand the requirements 12 and they've implemented them.
13 MEMBER HALNON: No elevated findings or 14 did you have some?
15 MR. BEARDSLEY: At this time, we have no 16 findings greater than green.
17 MEMBER HALNON: No greater than --
18 MR. BEARDSLEY: There is one potential 19 finding that is being adjudicated and it has not been 20 closed out yet. But over the course of all those 21 years -- and I can't remember. There's something like 22 150 inspections. We have found nothing is greater 23 than green.
24 MEMBER HALNON: I just want to distinguish 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
8 between when you say the security, the physical 1
security is actually what's after force on force and 2
actually tested the defenses as opposed to cyber. You 3
don't really have testing, a way to test it at this 4
point.
5 MR. BEARDSLEY: We don't have a way to 6
test it similar to the force on force.
7 MEMBER HALNON: Okay. Thanks.
8 MEMBER BLEY: I'm just a little curious.
9 When we first started looking at this with you, we had 10 a lot of discussion about how one defines -- is the 11 right term essential cyber assets or it's a different 12 13 MR. BEARDSLEY: Critical digital assets.
14 MEMBER BLEY: Critical digital assets.
15 MR. BEARDSLEY: Yes.
16 MEMBER BLEY: And it was -- looked like a 17 massive job. And I know you made changes to make that 18 more directly useable. When you do those inspections, 19 is a lot of that inspection time aimed at seeing how 20 well defined those critical digital assets are?
21 MR. BEARDSLEY: So one of the things we 22 looked at very closely in the first inspection program 23 between 2013 and 2015 was the process the licensee 24 used for defining which digital assets were critical 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
9 digital assets. Once we inspected that, we had a 1
level of assurance -- reasonable assurance that they 2
had a process in place that was effective. Then we 3
went in for a second set of inspections between 2017 4
to 2021. We actually looked at the change control 5
process they use for adding or deleting critical 6
digital assets or reclassifying them and found that to 7
be within reasonable assurance to be adequate as well.
8 MEMBER BLEY: I'm just curious. Did a lot 9
of people make changes?
10 MR. BEARDSLEY: Many of them did make 11 changes, and they were primarily to be -- so what we 12 did was we approved guidance for them to use a graded 13 approach to those digital assets that were less -- had 14 less of a risk. And so yes, we did look at that, and 15 many of them did make changes. And we believe that 16 there'll be further changes made prior to our new 17 inspection program that'll start next year.
18 MEMBER BLEY: Next year? Okay. Thank 19 you.
20 MEMBER BALLINGER: You said that you had 21 over, what, 150 inspections?
22 MR. BEARDSLEY: It's more than that.
23 MEMBER BALLINGER: Okay. More than that.
24 A lot?
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
10 MR. BEARDSLEY: Yeah, yeah, yeah. But 1
that's --
2 (Simultaneous speaking.)
3 MEMBER BALLINGER: No higher than green?
4 MR. BEARDSLEY: No findings greater than 5
green at this time. As I said, there is one finding 6
that is currently under adjudication by one of the 7
regions that could be greater than green. But other 8
than that, no.
9 MEMBER BALLINGER: But how many greens?
10 MR. BEARDSLEY: There were a number of 11 greens.
12 MEMBER BALLINGER: Was there a pattern in 13 the number of greens? In other words, this particular 14 issue was common among the green findings.
15 MR. BEARDSLEY: So what we found was over 16 time there were some repeat findings. But industry 17 using their operating experience program had to 18 educate themselves. And we, through public meetings, 19 had to explain, hey, this is an area that we think 20 industry needs to work on.
21 And so they would correct those. And we 22 don't want to look at the same thing in every 23 inspection. So we would change our focus as we went 24 through. But industry did learn and did improve 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
11 performance over the course of the inspection program.
1 MEMBER BLEY: Correct me. But I think 2
what Ron was getting at is, did you see not at one 3
plant the same things repeating but was some area that 4
repeated a lot across --
5 (Simultaneous speaking.)
6 MR. BEARDSLEY: We did. We did see areas 7
that were repeated across multiple inspections. But 8
industry learned those lessons and put the corrections 9
in place. So latter inspections, to a great extent, 10 they had made corrections. And we did not find those 11 same --
12 (Simultaneous speaking.)
13 MEMBER BALLINGER: Multiple inspections at 14 multiple plants?
15 MR. BEARDSLEY: Correct, yes.
16 (Simultaneous speaking.)
17 MR. BEARDSLEY: Multiple inspections at 18 multiple plants.
19 MR. BEARDSLEY: Correct, yes.
20 (Simultaneous speaking.)
21 MR. BEARDSLEY: Multiple inspections at 22 multiple plants.
23 MEMBER HALNON: -- kiosk were common for 24 a while. And so --
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
12 MR. BEARDSLEY: Right.
1 MEMBER HALNON: -- that issue got 2
resolved.
3 MR. BEARDSLEY: Yeah.
4 MEMBER HALNON: And a couple of other 5
issues --
6 MR. BEARDSLEY: Correct.
7 MEMBER HALNON: -- stayed -- until NEI 8
engaged and there was a meeting of the minds. And so 9
there were some things. But like, you're right. They 10 kind of decreased as time went on.
11 MR. BEARDSLEY: Right. For the kiosk, we 12 actually had a series of meetings with industry to 13 come to terms with what the requirements were. The 14 majority of those issues that you identified is 15 corrected through industry operating experience. They 16 would just share the experience across industry and 17 make the appropriate corrections. And we would not 18 find those same issues.
19 MEMBER BALLINGER: So you really don't 20 have any repeat offenders?
21 MR. BEARDSLEY: It's hard to characterize 22 industry as a whole. Some licensees would pick up on 23 operating experience. Some of them might now. So a 24 year later, we'd see something we saw before and we'd 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
13 a new finding. So I can't speak to industry as 1
overall. But in general, the trend we saw was 2
improvement over the course of the inspection. Okay?
3 Jeanne?
4 MS. JOHNSTON: Okay. Thanks, Jim.
5 (Simultaneous speaking.)
6 MS. JOHNSTON: Thank you. Thank you, Jim.
7 My name is Jeanne Johnston. I'm the Branch Chief of 8
the Long-term Operations and Modernization branch at 9
NRR. My branch has responsibility for guidance 10 development, for instrumentation
- controls, and 11 electrical areas that support modernization. So 12 primarily, this includes the increase of digital 13 modernization projects that we expect for control and 14 protection systems at nuclear power plants.
15 As Jim mentioned, headquarters staff from 16 NRR and NSIR continue to closely coordinate on issues 17 that are related to safety and security. And we do 18 this coordination with the regions. So examples 19 include our implementation of an alternate review 20 process for digital modernization license amendments 21 and implementing that and licensing and inspection 22 activities for digital modifications.
23 We understand the concerns that were 24 previously conveyed by the ACRS regarding 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
14 unidirectional communications from higher to lower 1
safety systems. And we plan to communicate 2
expectations and best practices to our stakeholders in 3
upcoming public interactions. To mention, there is a 4
public meeting that will likely be held in the January 5
time frame on our guidance development where we will 6
seek stakeholder input on prioritization.
7 There's also -- we're planning also on 8
having a lessons learned workshop in the March time 9
frame to discuss lessons learned from digital 10 modernization and applying the alternate review 11 process in licensing and in section activities. You 12 may know that the NRC recently approved a digital 13 modification at Waterford to updated their core 14 protection calculator. That is the first use of the 15 alternate review process for digital modification.
16 And we expect more applications next year 17 to use that process. The clarifications that we 18 expect to convey will emphasize the design option that 19 is available to vendors and applications to implement 20 a hardware-based unidirectional communication between 21 systems of different safety significance. The staff 22 recently updated the ACRS subcommittee on --
23 (Simultaneous speaking.)
24 MEMBER BROWN: Could you back and repeat 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
15 that again?
1 MS. JOHNSTON: Sure. So -- okay.
2 MEMBER BROWN: Just pick it up. Pick it 3
up.
4 MS. JOHNSTON: Okay, okay. I'll try to 5
project.
6 MEMBER BROWN: That's it.
7 MS. JOHNSTON: Okay.
8 MEMBER BROWN: Thank you.
9 MS. JOHNSTON: So we were given direction 10 from the EDO that stemmed from the ACRS feedback that 11 we got from the March letter from Chairman Sunseri.
12 And as you know, the Chairman tasked the EEO to create 13 a task force to look into the concerns that were 14 raised regarding unidirectional communications when 15 they go from higher safety significance to then lower 16 safety significance systems. The independent task 17 force recommendations were given to the staff as the 18 direction from the EEO to implement clarifications.
19 So one clarification, as Jim mentioned, is 20 included in Reg Guide 5.71 which you're going to hear 21 about today. The other clarifications are going to be 22 in other guidance documents which my branch would have 23 responsibility over, and primarily Reg Guide 1.152, 24 which will be updated not for another year or so, and 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
16 Branch Technical Position BTP 7-19. So the BTP 7-19 1
guidance is for the SRP. It's staff guidance.
2 Revision 8 was completed earlier this year. So due to 3
resources and prioritization, we aren't planning on 4
updating those documents in the near term.
5 But before we memorialize the guidance 6
updates, we are going to communicate our expectations 7
during public workshops, public meetings where we 8
engage stakeholders and talk about expectations for 9
licensing amendments for additional modification 10 projects. And the two workshops that I mentioned, one 11 would be in the January time frame to talk about our 12 guidance development infrastructure improvements. And 13 the other one is a lessons learned workshop for 14 digital modification, licensing, and inspection items.
15 And that would be in the March time frame.
16 MEMBER BLEY: Thanks. It might not be 17 fair to put you on the spot.
18 MS. JOHNSTON: Sure.
19 MEMBER BLEY: But to the best of my 20 knowledge, the staff hasn't sent a response back to us 21 on that letter. Do you have any --
22 MS. JOHNSTON: Yes. Okay, that --
23 MEMBER BLEY: -- knowledge about that?
24 MS. JOHNSTON: That is correct. So the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
17 letter was not addressed to us. Are you referring to 1
the Chairman's letter, the ACRS --
2 (Simultaneous speaking.)
3 MEMBER BLEY: I am.
4 MS. JOHNSTON: -- letter to the Chairman?
5 Okay. That was addressed to the Chairman. So it 6
never came down to the staff to get a response.
7 MEMBER BLEY: Okay. We often get 8
responses from the staff on letters we write to the 9
Chairman. But that's all right.
10 MS. JOHNSTON: Oh, okay. Well, we can 11 certainly -- if that is what is expected, we can 12 certainly do that. It just was never --
13 MEMBER BLEY: We'd like -- we've been 14 looking for something clear that says where you're 15 headed.
16 MS. JOHNSTON: Okay.
17 MEMBER BLEY: We've looked at the things 18 you've sent back to the Commission and EDOs 19 promulgated. But --
20 MS. JOHNSTON: Sure.
21 MEMBER BLEY: -- something directed at us, 22 I think, Charlie, don't you? We'd like to --
23 (Simultaneous speaking.)
24 MEMBER BROWN: The issue is coming down to 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
18 the point where BTP 7-19 was kind of the kickoff. If 1
you go back to about two years, one of the earlier 2
reviews of 7-19 and then November of '19 --
3 MS. JOHNSTON: Sure.
4 MEMBER BROWN: -- when we commented. And 5
then we had the follow-up. We requested something.
6 And then you all didn't agree with us with that. So 7
you went ahead and issued Revision 8 --
8 MS. JOHNSTON: Right.
9 MEMBER BROWN: -- without anything at all.
10 So right now, there are no technical documents at all, 11 neither the standard review plan, 7-19, defense-in-12 depth, which is a pretty critical review document for 13 all the new applications. And Reg Guide 1.152 is not 14 specific on this area at all.
15 I'm not being critical. I'm just stating, 16 even rev 3 which you have incorporated into the new 17 Reg Guide. It doesn't have any particular direction 18 relative to this.
19 And so right now, the only document that's 20 anywhere to provide what I call NRC documented 21 comments, not public workshops, not notes, lessons 22 learned, conferences, all that kind of stuff, that's 23 nice which it's a good thing to do. But it doesn't 24 provide what is expected. And just talking about it 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
19 in a public meeting or in a -- I mean, it's a personal 1
opinion.
2 MS. JOHNSTON: Sure.
3 MEMBER BROWN: Okay. It's good. At least 4
the applicants and the licensees know what you guys 5
are thinking, but yet it's not written down formally.
6 So I mean, it's -- we've managed at least in the new 7
advanced reactor -- advanced reactor design review 8
guide actually addresses this issue very pointedly 9
with the exact kind of similar type words we would 10 have liked to have seen in 7-19. We would have liked 11 to have had a nice new design review guide as part of 12 the standard review plan development. But that's a 13 big conflagration of the whole thing being looked at.
14 So it's going to be quite a while.
15 MS. JOHNSTON: Right.
16 MEMBER BROWN: So the difficulty is 17 there's no -- nothing written down that says, hey, 18 this is really what our expectations are via either a 19 regulatory guide or a branch technical position or 20 even an ISG. ISG-6 talks about architectures, even in 21 the alternate review process. You've got to develop 22 an architecture similar to what we did for the new 23 plant designs.
24 And then it's got a bunch of other stuff 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
20 that makes a little bit easier for them to get through 1
the alternate review process. So that, to me -- and 2
this is, again, my personal opinion. You've heard it 3
from me before is there's a gap in my own mind at 4
ensuring that in the design space five or six years 5
separated from a COL type space when you all do the 6
cyber or when Jim does the cyber stuff. What do the 7
designers do when we're doing a design review? For 8
instance, we've got Limerick and Turkey Point --
9 MS. JOHNSTON: That's right.
10 MEMBER BROWN: -- coming up. And as you 11 might expect based on at least from my view point 12 we're going to look at those what they propose. And 13 if we don't see a unidirectional hardware-based not 14 configured by software, in other words, a data diode, 15 if you call those synonymous, we'll be making a 16 comment. Or at least I will be recommending that we 17 make a comment.
18 Excuse me. I want to make sure I phrase 19 this properly. So that's not the right way to do it.
20 I mean, it ought to be recognized that there's a 21 difference between when we had the analog world all 22 you needed was the physical access security.
23 But once you introduce the new path, 24 control of access or electronic access and what you 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
21 call an attack path I guess was what the NSER 1
(phonetic) calls it. Did I get that right, attack 2
pathway? Now you had to have some electronic.
3 Designers have to do something. They've 4
got to send data out because you got to go tell the 5
pumps to start and the valves to open and send data 6
off to the control room. How do they do that? You 7
can't wait five years.
8 Having a little bit of humor in this 9
thing, you can't deliver a set of cabinets with 10 fiberoptic cables hanging out the bottom. They got to 11 have a transmission device hooked up to them 12 someplace. And when we make comments to do that, you 13 get pushback because that's cyber.
14 And I think that's not the right way to do 15 it. That's a personal opinion. The designers have to 16
-- in the design space, they have to be able to do 17 that. And it's not in any of the design documents 18 other than the advanced lightwater design review guide 19 right now.
20 But that's the fundamental for us. I went 21 back through rev 0 that we did. I wrote the letter on 22 that ten years ago and also reviewed it line by line.
23 And I compared it to the new rev 1.
24 And fundamentally, that's all the changes 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
22 you made, highlighted them. I don't have any real 1
disagreements with what you all did with a few 2
exceptions. Those exceptions revolve around how do we 3
differentiate the cyber world from those systems that 4
can't have any -- they can't have virus systems.
5 They can't have detection mitigation 6
systems in them. We can't do that. It'll destroy the 7
control functions if you do that. It just doesn't 8
work. So they're sitting there naked.
9 So the only way you can protect them from 10 other than the implant, the insider threat is via the 11 unidirectional device. And there's no place else and 12 it's not separated, even in the one section that you 13 all address. And I don't have the paragraph in here.
14 You made the comment that if the 15 application or the licensees decide to review -- to 16 use -- to do a cyber review during -- and I'm getting 17 the words a little bit. But it talks about a cyber 18 review during the design process to implement those.
19 That implies they're doing a cyber review.
20 They're not. They're doing a design 21 review. And they're not to commit to doing a cyber 22 review as part of the design process. So there's a 23 little disconnect on how that's worded.
24 So that's a separation of how do you get 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
23 the design people freed up to do the design as they 1
ought to be able to do. And if they don't do it right 2
when they get to cyber end of the business, fine. But 3
we know it's not going to happen that way if you 4
implement these.
5 So that's -- from my standpoint, that's 6
what I've been trying to get discussed and get some 7
action taken. This is the only document going out in 8
the next few years frankly. And all I was looking for 9
was something more than the one sentence in Section 10 331 which talked about technical security controls.
11 You did a good job on some others. You 12 talked about when you wanted unidirectional, it ought 13 to be hardware-based, et cetera. That's up ahead of 14 the big -- the defensive architecture diagram. That 15 was expanded, and that was good.
16 So there's a couple more changes like that 17 that you all introduced. But we don't get to the 18 point where we say, there's a world that has no virus 19 detection and mitigation systems. And those methods 20 we use here in 527-1 are suitable because I think they 21 are for application in their design world.
22 And then they can be reviewed later if 23 there's some other aspects that come up. That's the 24 disconnect I see. And other than that, I was pretty 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
24 satisfied with rev 1.
1 You can argue about the length of the 2
appendices and ginormous amount of paperwork that goes 3
along with it. But I think Appendix B is the primary 4
technical part of it. A and C are more management.
5 And I had another word and I promptly --
6 my 80-year-old brain just forgot it. Administrative, 7
tells you how to lay out the paperwork process and 8
programming and teams to review and all that, but not 9
the technical aspects. Yeah, thank you. Very good.
10 Yeah, Appendix B.
11 But you don't want to put this other 12 information about separation of stuff that doesn't 13 have any capability to put cyber detection, virus 14 detection and mitigation software in. That's the 15 wrong place. That's where you're actually doing 16 stuff.
17 It's put in the applicability paragraph.
18 And there's another paragraph a little bit later where 19 the allowance for -- or recognition, excuse me. That 20 the methods that you use here, you don't have to be in 21 a cyber review.
22 You can use them and not complete a cyber 23 review. Use them as necessary to make your design 24 work. And that's where the disconnect is because 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
25 right now the applicability says when you're doing a 1
7354, bang, and everything else follows. There is no 2
differentiation.
3 So a second paragraph that says, hey, 4
there are systems -- safety systems and others, 5
control systems where you can't have the virus 6
protection and mitigation systems. And those have to 7
be accounted for during the design process, not wait 8
for the COL cyber review process years later. So all 9
I've been trying to drive for is trying to get that 10 recognition up in the front of these and the 11 applicability and down in part of the discussion 12 section.
13 And there's a few other pieces. Like, 14 there's no data diode to find. You talk about a data 15 diode, but you don't really say it's a unidirectional 16 hardware-based not configured by software. It's a 17 definition issue. Those are small potatoes.
18 MS. JOHNSTON: Right. So --
19 MEMBER BROWN: And you use one way then.
20 So anyway, the point being is that's what I've been 21 trying to emphasize in our meetings.
22 MS. JOHNSTON: Understood.
23 CHAIRMAN SUNSERI: And we recognize that 24 you may not be in a position to address this right 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
26 now. We wrote to the Commission. They passed it to 1
the EDO. We need to hear back from the EDO's office 2
really.
3 MS. JOHNSTON: Okay.
4 CHAIRMAN SUNSERI: But you have influence 5
on that. So thank you for being a good listener. And 6
the messenger here, we don't intend to shoot you.
7 MEMBER BROWN: Oh, no.
8 (Simultaneous speaking.)
9 CHAIRMAN SUNSERI: No, no. I know. It 10 didn't come out that way. But I want ask --
11 MS. JOHNSTON: No, no, no.
12 CHAIRMAN SUNSERI: -- do you have a --
13 MEMBER BROWN: Start shooting those 14 arrows.
15 CHAIRMAN SUNSERI: -- do you have a 16 presentation?
17 MR. BEARDSLEY: We do.
18 CHAIRMAN SUNSERI: Okay. Well, maybe we 19 can get into the presentation and some of this will 20 all weave in. Okay?
21 MS. JOHNSTON: Okay. If I could, though, 22 just to respond briefly to your concerns, Member 23 Brown, I don't disagree with the underlying concern 24 that you're raising that unidirectional hardware-based 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
27 is a good thing to implement. The problem that we 1
came up with was we didn't see a clear regulatory 2
requirement to dictate that as a need. It is a good 3
practice and --
4 MEMBER BROWN: Well, let me interrupt you 5
then.
6 MS. JOHNSTON: Okay.
7 MEMBER BROWN: How can you live with a 8
bidirectional software controlled data transmission 9
device out of a protection system out to the rest of 10 the systems if there's not a safety need? That's 11 hackable right away.
12 MS. JOHNSTON: Well, what's on the other 13 side, though? Is it --
14 MEMBER BROWN: What do you mean on the 15 other side?
16 MS. JOHNSTON: What's on the other side of 17 that connection? Like, it could be another secure 18 computer or --
19 (Simultaneous speaking.)
20 MEMBER BROWN: Let me answer. I agree 21 with you. However, it goes to a control system for 22 starting a pump. Sometimes hacks into the starting of 23 the pump and it has a virus in it. Now it's got a 24 direct path into the reactor.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
28 MS. JOHNSTON: Okay. So --
1 MEMBER BROWN: So you can't -- every 2
system is within that boundary.
3 MS. JOHNSTON: Right. So --
4 MEMBER BROWN: It's affected. When you 5
send it out of the reactor protection system to a 6
control system, it starts safeguards, rods in, scram 7
them, whatever. If that is insecure --
8 MS. JOHNSTON: Right.
9 MEMBER BROWN: -- then you've got to 10 direct that. That's why --
11 MS. JOHNSTON: Agree that there's a 12 vulnerability there in that case. What I was trying 13 to convey was we couldn't tie that -- what you were 14 suggesting to a regulatory requirement and make it a 15 clear design requirement. However, it is a best 16 practice and it would help eliminate potential 17 failures.
18 And we would review upcoming applications 19 to make sure that they meet the single failure 20 criterion. In addition, I understand -- I'm not an 21 authority on this at all. But I understand industry 22 is standardizing their design process, using an EPRI 23 document called the digital engineering guide.
24 And that process, as I understand it, 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
29 would take all of the requirements. So our safety 1
requirements and cyber security requirements at the 2
forefront of the design process and take that into 3
consideration. So really the onus is on the industry 4
to design and vendors to design secure systems. We 5
are seeking to clarify our guidance, clarify our 6
expectations, and memorialized the lessons learned and 7
improvements over time. So that's what we are 8
planning on doing with the planned revisions to Reg 9
Guide 1.152, the BTP 7-19, and 5.71 which is today's 10 meeting.
11 MEMBER BLEY: Well, I hope the industry 12 guidance makes this very clear. I think where we're 13 coming from is you step outside of the nuclear 14 business and you look across business applications, 15 other engineering applications, automobile, trucks, 16 ship vendors, railroads, and look at the incidents 17 that have occurred. You don't have to be very 18 creative to see that no matter how good you think 19 software control is, somebody can break through it.
20 And it's happened over and over and over again.
21 That's kind of what's driving some of us anyway.
22 MEMBER BROWN: I would amplify that a 23 little bit. Wouldn't you say there's no regulatory 24 guidance because we've asked for it.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
30 (Simultaneous speaking.)
1 MEMBER BROWN: And you said no. I'm 2
saying that with a whole heart.
3 MS. JOHNSTON: Understood. Feedback 4
received. Understood.
5 MEMBER BROWN: I mean, at the starting 6
point of all this -- so I'm going to give another 7
little soliloquy here before you get to your 8
presentation. I apologize, Matt. But it's important 9
to get the information out.
10 The whole architecture approach for 11 reviewing the reactor safeguards, reactor protection 12 systems, and associated safety-related systems that we 13 started ten years ago starting with an architecture, 14 that's your focal point for defense-in-depth and 15 independence, thus the four standards that we keep 16 espousing, at least since I've been here anyway. And 17 now they're embodied in ISG, those four frameworks.
18 Control of access has been the one we have not been 19 able to get our fingers wrapped around.
20 And the object here is we're not 21 mandating. The point being was if you differentiate 22 the only cyber 7354 in your applicability and one of 23 the other paragraphs and don't separate out the stuff 24 that you can't put mitigation software in and allow 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
31 people -- and just you don't have dictate anything.
1 You just say if you need it one way, this is the way 2
to do it.
3 But right now, they consider they're 4
precluded. I mean, the staff seems, if we make a 5
comment, they feel it's precluded because it's not a 6
regulatory requirement to look at it. And we're not 7
trying to dictate every place that one goes. It's 8
where super safe critical systems, safeguards, and 9
reactors --
10 (Simultaneous speaking.)
11 MEMBER BLEY: I think this Reg Guide has 12 the structure to make that clear. I mean, you use the 13 word, architecture, over and over again and in ways we 14 would very much agree with. And I think within that 15 framework, this falls very neatly. We ought to let 16 them go ahead.
17 MEMBER BROWN: No, I'm going to let them 18 go ahead. I mean, however this comes out, we will be 19 writing a letter to you. Hopefully, I will be able to 20 convince my compatriots to provide some suggestions 21 that you all may accept or reject. Hopefully, you 22 will -- but they're not meant to be dictatorial.
23 They're meant to identify within the cyber 24 world that there are systems that don't have software 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
32 that can detect and mitigate but you can't put it in.
1 And therefore, other methods may be necessary to 2
protect those from outside sources. And this document 3
provides ways to do that. That's the thought. Okay?
4 Not trying to dictate, but this document 5
-- because it's the only one that's going to be out 6
there for a good -- you say one or two -- it's really 7
going to be four or five years. I'll make sure. I 8
will certainly make this happen in my lifetime. I 9
hope that was taken facetiously. And now I will defer 10 to my Chairman.
11 MEMBER BLEY: I'm going to do one more.
12 MEMBER BROWN: Oh, go ahead. Have at it.
13 MEMBER BLEY: Charlie's used these words 14 many times, and I don't quite see the link back in 15 here is that the Reg Guide, you just said it a second 16 ago, doesn't recognize that you can't build in virus 17 detection and mitigation within these systems. And --
18 MEMBER BROWN: Oh, no. It's not in there.
19 MEMBER BLEY: No, you've said it. You've 20 said it many times. But you were looking for that, I 21 take it.
22 MEMBER BROWN: That's what I was -- my 23 drive on this is not to dictate. My whole drive and 24 my suggestions to my -- which they're helping me, by 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
33 the way. I come from the naval nuclear program. I 1
know how to write very specific stuff.
2 So they help me put it in a little bit 3
different framework, the commercial world. The idea 4
is to identify where, as Dennis said, what is this 5
differentiation? And it does not exist.
6 The cyber document says everything cyber 7
or nothing. It just stops right there. That's what 8
the applicability says. And there's a paragraph in 9
the discussion that says the same thing. You say that 10 people may use these processes during -- if they want 11 to do a cyber review during the design process.
12 Well, that sounds like they're doing a 13 cyber review during the design process which they're 14 not doing. At this point, that's not what they do.
15 They design a system. So thank you for illuminating 16 that, Dennis. That's what I'm -- and that's the 17 suggestions I'm going to be hoping for --
18 (Simultaneous speaking.)
19 CHAIRMAN SUNSERI: Well, I'm going to 20 interject here, though. I think it's been clear 21 guidance provided that a physical security designer 22 should take in their design considerations and build 23 security into the designs. I doubt that they are 24 ignoring that kind of philosophy here.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
34 MEMBER BROWN: Oh, no. That's in there, 1
the physical security part. And --
2 (Simultaneous speaking.)
3 CHAIRMAN SUNSERI:
So they're not 4
completely separate. You can do a cyber review when 5
you're doing the design.
6 MEMBER BROWN: The physical part is 7
physical. That's insider threat. And we're talking 8
about outsider threat stuff, the electric pathway.
9 You're right, 603, 1993 actually addresses control of 10 access. And it focuses on administrative controls, 11 but that's all.
12 And they focus -- they've got the 13 administrative stuff in here which is good. They talk 14 about it in both of them., but they don't do the 15 recognition of the other side of it. That's just the 16 only point I'm trying to get across.
17 MS. JOHNSTON: Understood.
18 (Simultaneous speaking.)
19 MR. BEARDSLEY: So why don't we bring up 20 the slides. I just wanted to address two points: one 21 that Member Brown made and one that Member Bley made.
22 So when he used the example of controls to pumps, 23 right now in the current fleet the system that would 24 send the controls, the pumps, the valves, all of that 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
35 is protected by the data diode.
1 So as a collective set of systems, 2
everything is protected by the data diode from the 3
internet today. And then the point about systems that 4
you couldn't do virus protection or couldn't do those, 5
there are controls requiring those protections in the 6
cyber security requirements. If the licensee can't do 7
it, they have to analyze the control and identify in 8
their assessment how they would -- what alternates 9
they would use for protection.
10 So they have to apply protection to higher 11 systems or networks. So it's not like they don't do 12 anything. They have to do an analysis. And that's 13 one of the things that we looked at in inspection is 14 those analyses to see how they've done the protection.
15 So I just want to make sure that the public doesn't 16 think that there's nothing being done because there is 17 definitely something being done.
18 MEMBER BLEY: There is and I think we're 19 affected by things that happened 10, 12 years ago --
20 MR. BEARDSLEY: Without a doubt.
21 MEMBER BLEY: -- when we had some vendors 22 claiming they didn't need a hardware block, that they 23 could write software and nobody could get through.
24 And we had a lot of discussion. And in the end, the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
36 put them in because that was the only way to really 1
resolve it. And we would just like to see that in 2
your language memorialized.
3 MS. JOHNSTON: Okay.
4 MEMBER BLEY: Everybody does it.
5 MS. JOHNSTON: We would certainly question 6
why a computer system -- why it wouldn't introduce 7
failures that would impact the safety function from 8
being performed. And if it had a one-way diode, that 9
would be a really simple answer. If they don't, then 10 it's opening up for a lot more questions on the 11 reliability of that design.
12 MEMBER BROWN: I can give you one example 13 in one of the last designs we looked at. There was an 14 output from the reactor protection systems and 15 safeguard controls.
Both of them had a
16 unidirectional. Of course, we kind of suggested that, 17 and they agreed to do it. But then they also had it 18 feeding a network which went out to the world. And 19 that was bidirectional.
20 MS. JOHNSTON: One other --
21 MEMBER BROWN: And we -- let me just 22 finish the thought here real quick. Okay? I'm not 23 criticizing.
24 MS. JOHNSTON: No, it's okay. Go ahead.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
37 MEMBER BROWN: We dug in our heels. And 1
the applicant decided that the input into the network 2
also ought to be unidirectional, hardware-based which 3
was the right way to do it just to provide that second 4
barrier. But when you're doing it without some 5
mention of this differentiation between the types of 6
systems, what you can do and can't do, I understand 7
your point about everybody is protecting their control 8
systems.
9 Nothing can come in to them. They've got 10 a data diode there so it can do it. But a lot of 11 those vendors think it'd be great to sit back in their 12 place and send new software updates to their control 13 system because they found an error and they can send 14 it via the internet and all the way down into the 15 system and right into the -- that's just great, isn't 16 it? You really ought to be coming in and opening up 17 your cabinet and downloading it.
18 MR. BEARDSLEY: And they wouldn't be able 19 to do that with the current regulations in there.
20 MEMBER BROWN: Anyway, go ahead. Let's go 21 ahead --
22 (Simultaneous speaking.)
23 MR. BEARDSLEY: One other question.
24 MEMBER BROWN: -- do her thing.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
38 MEMBER BIER: Yeah, I guess the one other 1
2 MEMBER BROWN: I'm sorry, Vicky.
3 MEMBER BIER: -- comment that I would add 4
that's come up in some of the previous discussions is 5
that handling at the inspection stage is kind of late 6
if a plant has already has been built, assuming a 7
different solution. So --
8 MEMBER BROWN: That's correct. We had 9
made that point before.
10 MR. BEARDSLEY: Okay, okay. At this 11 point, we'll turn it over to Kim Lawson-Jenkins who 12 will provide the update on Regulatory Guide 5.71, 13 Revision 1.
14 MEMBER BROWN: We have time, right? If 15 we're quiet during the slide presentations. That's 16 probably wishful thinking. Kim, go ahead.
17 MS. LAWSON-JENKINS: Yes, thank you.
18 MEMBER BROWN: Thank you.
19 MS. LAWSON-JENKINS: My colleague, Michael 20 Brown, will be advancing the slide for me. Thank you 21 very much for this opportunity to present on 22 Regulatory Guide 5.71, Revision 1, the draft guidance 23 that we're hoping to get out for public comment soon.
24 The Regulatory Guide is an acceptable implementation 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
39 of Title 10, Code of Federal Regulation Part 7354.
1 That regulation was made effective in 2009, and the 2
original version of Regulatory Guide 5.71 was 3
introduced -- issued in 2010.
4 The cyber security rule which is what we 5
call -- generically call 7354 protects computers, 6
equipment, and systems that affects safety, important 7
to safety, security, and emergency preparedness 8
functions. That's what the rule says. So this is one 9
implementation that we found acceptable for 10 implementing that rule. Next slide, please.
11 Okay. When I was asked to give this 12 presentation today, there were three things that I was 13 directed to doing this. Number one was discuss the 14 summary of the changes in Reg Guide 5.71 over the last 15 ten years. Number two was to discuss any changes to 16 the guide based on the EDO direction earlier this 17 year. And number three, any changes that we made 18 since the subcommittee meeting just this past October.
19 The first two items with what I presented 20 in October, just a subset of the slides. And we'll 21 talk about number three. Some of these things you've 22 actually discussed already before the presentation.
23 But we can still elaborate on them. Okay.
24 There was an -- the draft guidance was 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
40 originally revised in 2018. And we actually issued 1
that, put that out for public comment. The main 2
purposes of that was to clarify the regulations based 3
on lessons learned through the first set of 4
inspections we -- cyber security inspections we did 5
from 2013 to 2015.
6 As Jim mentioned, we only had one new 7
regulation which had to do with cyber security event 8
notification. Between the original version of 5.71 9
and the draft version we put out, NIST Special Product 10 853, had a new revision of the security controls for 11 federal systems. So we updated the slides based on 12 some of the changes in there.
13 And shortly after, the cyber security rule 14 was issued and also the guidance was issued. The 15 Commission gave direction on how to handle balance of 16 plant equipment at nuclear facilities. And that 17 version of the draft guidance updated content based on 18 that.
19 Also, yes, I want to mention that there 20 was IAEA security guidance that was issued in 2011.
21 So we noted that also and picked up a few of the best 22 practices that was in the IAEA document. The work on 23 the draft guidance was delayed for two years because 24 we were approaching the new set of inspections that we 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
41 were going to implement.
1 So there was a decision made to wait until 2
we completed those new set of cyber inspections. The 3
post-assessment work we did on how we did the program 4
in general and also industry as Jim mentioned had a 5
lot of lessons learned from their implementation of 6
their program and the inspections that they wanted to 7
get done. So everyone thought it was desirable to 8
wait for issuing this guidance. Next slide, please.
9 Mike, next slide. Okay, thank you.
10 So once we made the decision to delay 11 issuing this guide, we actually started on some new 12 updates. That gave us more time to do more things.
13 At that point, a lot of the guidance for cyber 14 security -- not just international guidance -- but if 15 you look at the NIST guidance, it's definitely focused 16 more on risk informed cyber security. And we picked 17 up that information.
18 There was some discussion earlier about 19 some things that we've seen. I think someone else has 20 to go on mute. Thank you. There was, what areas did 21 we see multiple findings? Okay. And one was the need 22 to have more accurate information about the equipment 23 that the licensees have at their plant, specifically 24 the critical digital assets that as we said could 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
42 affect safety, importance of safety, security, and 1
emergency preparedness functions.
2 New international standards and guidance 3
were issued. And also another version of a NIST cyber 4
security document was issued. So we picked up any 5
applicable changes for that.
6 And of course we addressed any public 7
comments that we received in the -- when we issued the 8
document for public comment in 2010. I would like to 9
say I shared those public comments with -- as a 10 package with the subcommittee. And as I mentioned 11 then in the presentation, a lot of the really useful 12 information that we received was from vendors who had 13 questions about how to implement things in their 14 design. Okay.
15 So they are very much interested in this 16 document. Even though the regulation and it's based 17 on operating plants, the bottom line is that the 18 licensees rely on technical requirements that are 19 implemented by the equipment. Okay. So people who 20 manufacture security equipment, people who manufacture 21 safety equipment but they want it to be secure, 22 they're looking at that information that comes in the 23 guidance.
24 And the licensees and the applicants are 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
43 going to rely on the equipment to implement some of 1
these requirements. There's two ways when you're 2
doing cyber security or any kind of security. Either 3
the equipment itself can have security functions which 4
you just turn on and start using, or you're going to 5
have to put something in the environment where the 6
equipment is operating to give you that security that 7
you need.
8 So just because the guidance is for 9
operating plants, the safety functions don't just 10 happen in a vacuum. They rely on this information 11 that's coming out of the guidance. And that's why we 12 really want to get this out in the public sphere very 13 soon.
14 MEMBER HALNON: So Kim, this is Greg 15 Halnon. The licensees will rely on the equipment to 16 do the job. But if it's found that they don't do the 17 job, the violation goes to the licensee, not --
18 MS. LAWSON-JENKINS: Absolutely.
19 MEMBER HALNON: Unless it's a Part 21 20 issue. So this is subject to Part 21 too. And so the 21 licensee still -- I mean, I just want to make a point.
22 They need --
23 MS. LAWSON-JENKINS: That is true.
24 MEMBER HALNON: -- to understand it, need 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
44 to make sure and do the validation and require the 1
vendors do the equipment --
2 MS. LAWSON-JENKINS: Right. Which is 3
absolutely --
4 MEMBER HALNON: -- in the right way.
5 (Simultaneous speaking.)
6 MS.
LAWSON-JENKINS:
We put this 7
information in the guidance that the licensees have to 8
understand the functions, not just actually the safety 9
functions but the security functions and to use those 10 appropriately. And my colleague, Mike Brown, who's 11 advancing the slide, one of the areas that he's 12 working in is supply chain because no one knows the 13 equipment like the company that manufactures it. They 14 will know the vulnerabilities if there are any there, 15 even though you have researchers always trying to find 16 that too. Okay.
17 They will know the best way to fix those 18 vulnerabilities. Okay. And they are the best people 19 to know how to secure the device. So the licensees 20 and the applicants must, must have a lot of 21 communication with the vendors to adequately protect 22 their plant and equipment. And the guidance does 23 encourage that communication that it's clear now that 24 they have to communicate and know what's in their 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
45 plant. Next slide. Thank you. Next slide, Mike.
1 Okay. So as you can imagine after ten 2
years for cyber security, there were quite a few 3
changes in the Reg Guide. And this page I'll mention 4
very briefly one and then we'll go into more detail 5
about each section. Please again if someone else is 6
not on -- on speaking, please go on mute. Thank you.
7 Okay. So Section C is the staff 8
regulatory position. Okay. So some of the 9
information that we gave for clarifying is to add text 10 for risk informed cyber security. We added the 11 information that I spoke to earlier about balance of 12 plant identification of those assets.
13 We added decision points in the text --
14 diagrams and text for identifying CDAs as was 15 mentioned before the presentation that the licensees 16 and the NRC got a lot more experience in identifying 17 which assets really do affect safety and security and 18 emergency preparedness functions. We updated text on 19 defense-in-depth protective strategies. This is 20 really important because there definitely has been 21 some confusion on what defense-in-depth is, and we'll 22 talk about that as we move along in the slides. But 23 to clarify -- yes?
24 MEMBER BROWN: Without -- you don't have 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
46 to change the slides. Just the first item on there, 1
just -- and I don't remember clearly. I thought I 2
looked for this when I was muted. You added -- I 3
remember reading the risk informed cyber security text 4
that you went through.
5 And I don't disagree that there's a wide 6
range of stuff. Some things you add that I really 7
don't care. Some stuff, yeah, a little bit but not as 8
much. You think a risk not doing any, that's fine.
9 But there's a category of stuff like 10 reactor safety stuff that's really not amendable to a 11 risk assessment. It has to work. You don't kind of 12
-- it can't kind of work. It can't kind of trip the 13 reactor. It can't sort of start a pump. It's got to 14 start all of it or the required amount of it.
15 I would suggest that you think about 16 identifying there's classes of equipment where risk 17 doesn't really work toward. And I'm not quite -- I'm 18 not trying how to tell you how to do that. But there 19 certainly are.
20 I would hate to see the reactor scram 21 system say, we're going to do a risk assessment of 22 that, whether -- how do you do that? And if you got 23 a better answer than I do, fine.. I just didn't 24 understand how we apply that.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
47 MEMBER BLEY: Yeah, I'm a little concerned 1
2 (Simultaneous speaking.)
3 MEMBER BLEY: -- that you're giving such 4
advice to this staff --
5 (Laughter.)
6 MEMBER BROWN: That's all right.
7 MEMBER BLEY: -- because you do a risk 8
assessment isn't the reason why reactor scram should 9
sometime fail. It might. Risk assessments try to 10 acknowledge that and understand the impacts of it.
11 It's designed to work. It ought to work. But the 12 risk assessment has nothing to do with building 13 something into a system that lets it fail. That's a 14 bad concept.
15 MEMBER BROWN: But that wasn't the way I 16 read the stuff that I read.
17 MEMBER BLEY: That's what it sounded like.
18 MEMBER BROWN:
But that's I'm 19 remembering -- again, it's been two months since I 20 read this. So --
21 MS. LAWSON-JENKINS: We're actually going 22 to have a slide on this informed security.
23 (Simultaneous speaking.)
24 MEMBER BROWN: Okay. All right. That's 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
48 good. Go ahead, Kim. Thank you.
1 MEMBER BLEY: Hey, Kim. Let me ask you a 2
quick question. And this is for my own edification 3
and you didn't do it. It seems as if the staff has 4
changed the structure of the Reg Guides.
5 And now C-3 are the regulatory positions.
6 But as in your guide, you never use that phrase. And 7
somebody else's guide that we got recently, they did 8
the same thing except they kept referring to 9
Regulatory Position No. 1 and No. 2 which got very 10 confusing because they weren't defining the section.
11 If anybody knows what's going on, I'd just be 12 interested in why we've changed the format.
13 MR. BEARDSLEY: Well, I think one of the 14 big points with the Regulatory Guide 5.71 is it 15 provides a template for a cyber security plan which is 16 where the meat of the licensee's commitment comes.
17 And so when we say regulatory position, those are the 18 requirements the licensee has to meet in their cyber 19 security plans. There's another Reg Guide that 20 doesn't provide that same structure, may put them in 21 a different place. I can't answer your question 22 explicitly. But that is why we did it this way in our 23 Reg Guide.
24 MEMBER BLEY: Okay. But you don't call 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
49 them regulatory positions in this Reg Guide. You 1
never mentioned that --
2 (Simultaneous speaking.)
3 MR. BEARDSLEY: We do not. We call them 4
licensee requirements.
5 MEMBER BLEY: Yeah, but it's perfectly 6
clear. Okay. There's no real answer.
7 MS. LAWSON-JENKINS: And I have to admit 8
I did not change the structure of the original 9
guidance because I didn't want to get to the space of 10 backfit. Okay. So there might've been some better 11 way of restructuring the guide. But especially on a 12 topic as expansive and comprehensive as cyber 13 security, I really didn't want -- I wanted to be clear 14 what we changed and why rather than restructure --
15 MEMBER BROWN: This is the same as --
16 MS.
LAWSON-JENKINS:
the whole 17 document.
18 MEMBER BROWN: -- rev 0 is what you're 19 saying --
20 (Simultaneous speaking.)
21 MS. LAWSON-JENKINS: Yes, compared to rev 22 0.
23 MEMBER BROWN: -- which was a good idea.
24 MS. LAWSON-JENKINS: So it made clear what 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
50 we --
1 MEMBER BROWN: I understand that.
2 MS. LAWSON-JENKINS: -- change and why.
3 But I did not restructure. If any of the guys changed 4
in the future, that was fine. But I really want to be 5
clear on what we did and why.
6 MEMBER BLEY: Okay. I wasn't implying 7
that. I was just curious about what was going on 8
across this. It's irrelevant to your presentation.
9 Your structure is great.
10 MS. LAWSON-JENKINS: Okay. Thank you.
11 We'll talk again about defensive architecture and why 12 we have what we have in there. And like I said, we'll 13 have more details about that when we get to the slide.
14 We updated text regarding the use of alternate 15 controls because, as I said, the guidance we have in 16 here is one acceptable way of doing it.
17 Many times, licensees decided not to use 18 certain controls that we suggested. And we wanted to 19 clarify when that was appropriate, what kind of 20 evidence they needed to show that what they did was 21 sufficient. We updated text to clarify the use of a 22 consequence-based graded approach in applying security 23 controls.
24 And I think this is tied to that first 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
51 point that everyone was worried about risk informed 1
cyber security. I guess the best way to try to 2
explain this is that people do have to understand what 3
they're doing and why and what risk is associated with 4
it. If you need something that want to have very 5
little or no risk, you will just find that 6
accordingly. You will.
7 But you have to look at the problem. A 8
lot of times, people have no idea of the unknown or 9
what they don't cover and things like that. And part 10 of this risk informed cyber security is acknowledging 11 what you're doing, why you're doing, saying what you 12 do know, and how you're going to adjust when new 13 things come along and on things you don't know. Okay.
14 So just because you're doing cyber 15 informed -- risk informed cyber security, I'm saying 16 you apply risk to everything. And in actuality, in a 17 way, you do. You're just saying, we aren't going to 18 accept any risk on certain areas. And you have to 19 protect those things accordingly. Okay.
20 And that's what we're doing here when we 21 say what controls you apply. But the first step is to 22 identify what's important and why you can or cannot 23 tolerate a certain amount of risk. And that is 24 absolutely critical.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
52 And the last point on this slide is to 1
talk about the technical controls that can be 2
incorporated using the design certification. And also 3
the updates we did based on the cyber event 4
notification rule. Okay. So we'll talk about, like 5
I said, a lot of these things in detail. We have 6
slides for every one of these items. Next slide, 7
Mike. Thank you.
8 Okay. So we added a reference which is 9
actually based on some of the comments we had to the 10 sections of Reg Guide 1.152. Like I said, we'll have 11 a slide on that, Revision 3. We added many more 12 examples of continuance monitoring which is really one 13 of those lessons learned that's crucial over the past 14 ten years.
15 You don't implement controls, you don't 16 implement a plan and say I'm good. I don't have to 17 worrying about it anymore. You have to make sure 18 those controls are in place and they are working as 19 intended. And you have to understand in your system 20 when you start seeing new things. We gave a proposal, 21 introduce text to say how and the way of licensees 22 using metrics to measure how effective their analysis 23 of this system is.
24 As I said, we added a lot of text 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
53 regarding how licensees could have quality CDA 1
assessments. We'll talk a bit more about that when we 2
get to the slide. One of the reasons we had more 3
pages in the updates -- the updated document for 5.71 4
is we added clarification for every security control 5
in Appendix B and C saying why these controls are 6
needed, the purpose of them so then the licensees 7
could understand if they wanted to substitute, use a 8
different control, how those new controls were meeting 9
the intent of the original control that we 10 recommended.
11 We added new terms and definitions in the 12 glossary. Like I said, we learned a lot over the last 13 ten years, not just the Nuclear Regulatory Commission 14 by cyber security professionals in general. We 15 clearly updated the references. And throughout the 16 document, we had lots of editorial changes based on 17 public comments, OGC comments, and peer reviews.
18 MEMBER BLEY: Kim?
19 MS. LAWSON-JENKINS: Yes.
20 MEMBER BLEY: It's Dennis Bley. I'm 21 curious as to what kind of response you've gotten back 22 from the licensees. Are they appreciating the added 23 detail you've provided?
24 MS. LAWSON-JENKINS: I think it's going to 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
54 be one of those it depends. Well, first of all, we 1
haven't gotten this out for public comment yet. So 2
once we get it out for public comment -- once we get 3
it out for public comment, the industry will have an 4
opportunity to give input officially.
5 The input we got when we tried to put it 6
two years ago in 2018 was that you need to wait. So 7
we finished the assessments. And then also we wanted 8
to finish the inspections and it would be a better 9
time to do this. So it was more, we need to wait.
10 That was the main input and plus risk informed 11 security. Okay. But mainly to wait.
12 MR. BEARDSLEY: Industry has seen the 13 document, both in 2018 and after release of last 14 summer. But there has not been a formal public 15 comment process for them to provide us feedback.
16 MS. LAWSON-JENKINS: Right. But they will 17 have an opportunity. We will have -- we hope to have 18 two public meetings on this document when we do issue 19 it for public comment. Okay. Next slide, Mike.
20 Thank you.
21 Okay. So this was the slide that I had on 22 risk informed cyber security. And as I said, it's a 23 way of categorizing and to understand what is 24 important -- what is important at the plant as far as 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
55 facility functions including the identification of 1
SSEP functions, threats to the
- facility, the 2
specification of requirements which will include the 3
cyber security program. The program usually consists 4
of a plan.
5 That's what we implement -- they usually 6
implement based on a plan and the defensive 7
architecture and the defense-in-depth methodology that 8
they use. They will use -- if they want to use a 9
graded approach, they could look at seeing where in 10 the security architecture they put the most 11 protections and place those devices in that logical 12 boundary where those devices are protected. And this 13 is what was relatively new that we wanted to clarify 14 for risk informed security. There has to be some kind 15 of validation and verification of the implementation 16 of that program.
17 Okay. Like I said, it isn't just a matter 18 of implementing it, thinking everything is working or 19 saying the first time it worked and never doing 20 anything else with it. You have to show that you are 21 protecting the right things, that you can react if 22 something changes, that when new threats come along to 23 be able to say based on your program how you're going 24 to deal with that. It's really ongoing, continuous 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
56 monitoring of your system so that it is not a one 1
time done thing, after inspections, we don't have to 2
worry about it.
3 MEMBER HALNON: So Kim, back to a question 4
I had earlier, how do you physically do that? Do you 5
have the ability to -- or do licensees have the 6
ability to inject a cyber threat and watch their 7
systems defend against it? Or --
8 (Simultaneous speaking.)
9 MS. LAWSON-JENKINS: They can use -- they 10 can -- there's several things, first of all. Right 11 now, they do have outages when they do bring down 12 equipment to make updates and changes to the system.
13 So there is some testing.
14 If they wanted to, they could -- this is 15 an example. It isn't a requirement, but it's an 16 example, okay, that they can do things that way. They 17 can have simulations of those systems because they 18 have to verify it when they make certain changes to 19 the systems that they aren't changing the security 20 posture of it. Okay.
21 So many more licensees are moving to being 22 able to model the effect of their systems. And that's 23 one area that I know I've been working on lately in 24 some of the standards groups to understand what goes 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
57 into a very good security model, okay, things like 1
that. But the main issue -- the main -- the important 2
points, I think, to understand this is that they 3
really must understand what they have at their plant 4
because in a way you have to think the best analogy is 5
that they have to think like attackers these days.
6 Okay.
7 The attacker when you get malware, it'll 8
come on to your system and it'll see what's there.
9 That's the way malware works. It sees what's there.
10 Okay. And then once it sees what's there, it sees 11 what it can speak to, talk to, what it can do. And 12 then it may propagate itself through the network.
13 That's a very simple over-generalization of what 14 malware can do. Okay.
15 (Simultaneous speaking.)
16 MEMBER HALNON: And I guess I'm just 17 curious --
18 MS. LAWSON-JENKINS: No, let me make this 19
-- this is an important point. I always tell the 20 licensees that the malware, a potential malware should 21 not ever, ever know more about your system than you 22 know about it. Okay. So if they understand their 23 system well, they can pretty much start modeling and 24 explaining why their system will operate and be able 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
58 to respond adequately to any kind of problems.
1 MEMBER HALNON: Well, just the validation 2
and verification, and maybe it's something for future 3
research to figure out benign -- being able to inject 4
a benign malware or something and see how far it gets 5
or something to that effect.
6 (Simultaneous speaking.)
7 MS. LAWSON-JENKINS: Okay. Please don't 8
confuse those two things. I did not say inject 9
malware in your system to figure out that it works.
10 That is not what I said.
11 MEMBER HALNON: It comes down to is it 12 just a paper exercise or is it something that you're 13
-- a validation and verification makes it feels like 14 there's something physically you're going after and 15 trying to do.
16 MS. LAWSON-JENKINS: But you have to do 17 this all the time in network development where you 18 develop systems. You have to -- you cannot always 19 test -- especially you cannot always physically test 20 what you're using. Times have really changed.
21 You have to be able to model and simulate 22 and test input and output before you actually build 23 the devices. That's how -- I've been in development.
24 That's how you have to do it if you want to get things 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
59 in a timely manner and still have a secure and 1
efficient system.
2 MEMBER HALNON: I agree. But the design 3
is static. I mean, it's done. Go install it in the 4
plant, then it becomes a head exercise after that.
5 But we can move on. Just --
6 (Simultaneous speaking.)
7 MS. LAWSON-JENKINS: Okay. But you can 8
use -- if something is not operational, you can use a 9
scan to verify what's going -- how your system -- your 10 equipment is operating before you restore it to in 11 use. So there are ways of testing and making sure 12 that the configuration hasn't changed, that nothing is 13 there that shouldn't be there. So as I said, when you 14 have outages, those are the perfect times to do some 15 of this verification and validation that you cannot do 16 when the system is online.
17 MEMBER HALNON: On some systems. There's 18 a lot of systems that we're talking about here.
19 MS. LAWSON-JENKINS: I know.
20 MEMBER HALNON: It's a tremendous amount 21 of work to add to an outage.
22 MS. LAWSON-JENKINS: Which is why you need 23 to know what's important and do the consequence-based 24 analysis on it. You can't look at everything. You 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
60 can't. So you have to focus on what's important and 1
know why it's important and --
2 (Simultaneous speaking.)
3 MEMBER HALNON: It feels like the design 4
organization would be bigger than the regular physical 5
security organization.
6 MS. LAWSON-JENKINS: Next slide, please.
7 MEMBER BLEY: Well, it's got its finger 8
ins everything. So maybe that's not the wrong 9
approach.
10 MS. LAWSON-JENKINS: I will get to talking 11 about our resources, things at the end. I am going to 12 briefly mention that. But I'll go on with this next 13 slide, though, balance of plant. Okay. So we did 14 introduce information about balance of plant 15 equipment.
16 There's going to be updated guidance from 17 the industry on how they're classifying 18 identifying, classifying, and protecting balance of 19 plant equipment. Okay. But in our guidance, we 20 mention an identification function for the equipment.
21 The balance of plant equipment has to be listed there 22 when you're deciding on what to protect.
23 Now keep in mind this is not an either/or.
24 Okay. Because if you look earlier in number 3, if the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
61 equipment provides a pathway to a critical digital 1
system or a Critical Digital Asset, then it's a CDA.
2 Okay. It really doesn't matter what else you do.
3 If you keep going, it's going to be a CDA 4
if it provides a pathway. Okay. But they have to --
5 you have to look at all these things at some point, 6
not just one. So you don't just say balance of plant 7
and we don't care what it does in the system and what 8
it speaks to and things like that. It's one of the 9
considerations but not everything. Next slide, 10 please.
11 Okay. For the identification of Critical 12 Digital Assets, we made a few changes to this slide.
13 Number one is, does the system contain any digital 14 components from the software? That wasn't in the 15 original slide.
16 We, again, added information about BOP.
17 And then the text, we talked more about whether this 18 device protects other critical groups of assets. The 19 diamond was there before. But we actually explain in 20 a lot of text that spoke on that point.
21 Because as I mentioned earlier in the 22 presentation that either the device itself can have 23 security functions or you can add a device to the 24 system in the environment where the equipment is 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
62 operating and have it protect the device. And there 1
was some debate or discussion with industry. And it 2
was a little too early when we spoke about the kiosk, 3
okay, whether or not that was a Critical Digital 4
Asset.
5 From my point of view, it would've been.
6 But industry elected a lot to do that in the way they 7
implemented their program. That's fine, well, and 8
good. But I remember we had the discussion that it 9
had to be protected at the same level as the device is 10 protecting.
11 It made no sense to have it provide a 12 protective function and it's not the same level that 13 totally invalidates your defense of architecture, 14 where you have the most critical things being 15 protected. And also I raise the point and industry 16 understands that if that device is protecting multiple 17 Critical Digital Assets, it's actually a higher value 18 asset because the impact if something happens to it is 19 greater than if only one device fails. So like I 20 said, there's been a lot of discussion with industry 21 and going back and forth on what is a Critical Digital 22 Asset.
23 And regardless of what you call it, we do 24 this because we're humans. Okay? We can write 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
63 programs. We can write procedures that say if 1
something is a Critical Digital Asset, this is how you 2
treat it.
3 At the end of the day, the attacker 4
doesn't care. They really don't care how we label 5
these devices. They're going to only go about what it 6
does, okay, and how they can affect it.
7 So we have to use this information wisely.
8 Okay. And I saw, well, because it's not a CDA, we 9
don't have to protect it. It's what it does and what 10 its communication that it's supporting. And that's 11 what's reflected in this new text. Next slide, 12 please. Okay.
13 Defense-in-depth protective strategies, 14 that the strategies should employ multiple, diverse, 15 and mutually supported tools, technologies, and 16 processes to effectively perform timely detection of, 17 protection against, and response to a cyber attack.
18 That is a lot in one sentence. It is a lot. But 19 that's why defense-in-depth for security, especially 20 cyber security, is not one or two things that they 21 must do to meet that defense-in-depth requirement.
22 Okay.
23 MEMBER BLEY: I'm just curious if you 24 played your definition of defense-in-depth against the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
64 NUREG. I forgot what they called that new set of 1
general ones. I think it's No. 5 or 9 on defense-in-2 depth.
3 MS. LAWSON-JENKINS: Oh, is this physical 4
security? Or what are we referring to here?
5 MEMBER BLEY: The term, defense-in-depth, 6
and what it means.
7 MS. LAWSON-JENKINS: No, no. I mean, what 8
document are you citing?
9 MEMBER BLEY: I'll tell your colleagues 10 here before they leave.
11 MS. LAWSON-JENKINS: Okay, okay.
12 MEMBER BLEY: I just have to look up the 13 title.
14 MS. LAWSON-JENKINS: Okay. Well, for --
15 (Simultaneous speaking.)
16 MEMBER BLEY: No, it's just one of the 17 general NUREGs.
18 MS. LAWSON-JENKINS: Okay. For Reg Guide 19 5.71, to meet the cyber security rule, when someone 20 receives a violation of defense-in -- based on 21 implementing defense-in-depth, this is what we mean 22 because it's really important. And I could give 23 multiple examples of this as we go through the 24 presentation. Clearly for software, you can't have 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
65 the same software everywhere. Okay.
1 If you have on vulnerability, and you just 2
mentioned that on some systems you may not want to be 3
updating all the time. That's going to play into the 4
decision, well, maybe you need to use a different type 5
of software or technology there. That's something 6
they -- and that's why, yes, the decision needs to be 7
made before you install the equipment.
8 Sometimes we say, as you've seen in 9
Appendix B and C, there's lots of cyber security 10 controls that you can install. And sometimes a 11 licensee will say, we'll need to install of these. We 12 can do a few.
13 And maybe based on the analysis they can.
14 But as I said, we add lots of information about why a 15 control is there. Okay. And a lot of times, you have 16 these overlapping things to protect if one of the 17 controls fails. So there's a lot involved in this.
18 But like I said, and this is just one 19 sentence. We didn't include all of the text. But 20 clearly, we have a lot of information about what 21 defense-in-depth means as far as the cyber security 22 requirement. Next slide, please.
23 Okay. Protecting SSEP function, that 24 comes straight from the cyber security rule, 10 CFR 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
66 73.54. The rule says to protect the function. So 1
once again, if someone could go on mute, that would 2
help a lot.
3 The functions that are the most important 4
are the safety and security functions. And that 5
clearly if you're placing those in the defense of 6
architecture where you have more security as you go 7
into the architecture, you're going to place those at 8
the highest level. So the point being made before 9
where you want to have very little risk -- very little 10 interaction with outside systems where you're going to 11 care about those things, you're going to place those 12 devices at the highest security level in your 13 architecture.
14 A function can be implemented by one or 15 more systems. And as I said, the system allocation to 16 a security level is dependent on the safety or 17 security significance of that function. So using risk 18 informed doesn't mean you're allowed to introduce more 19 risk into the system.
20 At least it just makes sure that you 21 actually looked at it. And you're making decisions 22 based on knowledge of your equipment, knowledge of the 23 plant functions. And you're placing them at the 24 appropriate part in your defense of architecture.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
67 Next slide, please.
1 Initiation of communication from access 2
from a lower security level to a higher security 3
level, if you have that communication, to be done on 4
a deny all and permit by exception basis with the 5
exceptions supported complete justification and 6
security risk analysis. I can't speak to plants. I'm 7
not going to speak specifically to plants that have 8
been built 30 years ago.
9 And there's some systems in those plants 10 that are never touched. There are a few of those that 11 are never touched. All you do is just received 12 information from it. You don't even do configuration 13 changes. Okay.
14 Most systems now have software running in 15 it. It may be a little bit, they have software 16 running. And you have to be able to make changes to 17 that software.
18 Sometimes they're configuration changes.
19 Sometimes it's a vulnerability that's there. And 20 based on how you designed your system, you may 21 decided, I don't need to address that vulnerability, 22 if you don't have any kind of connections to it.
23 But by being in a system -- in the 24 communication systems, it's communicating. And this 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
68 is where Member Brown and we are in agreement that you 1
have to tightly control the communication. So it has 2
to be decided if there's no communication coming in at 3
all ever, okay, then you don't have to have that 4
exception.
5 But on things -- if you have several 6
security levels and all your security vulnerability 7
updates come from a different system that will not be 8
at that same level, you have to have some way of 9
performing those updates. I mean, that's a 10 requirement of your cyber security plan. And this was 11 a mechanism to let them do that. Do we have any 12 questions on this one, because we had quite a bit of 13 discussion on this at the subcommittee meeting?
14 MEMBER BLEY: No, but I want to go back 15 and remind you that the document I was talking about 16 is NUREG/KM, that's Knowledge Management, 0009, which 17 is a historical review and observations of defense-in-18 depth. It was done several years ago because almost 19 everything around NRC had a different definition of 20 defense-in-depth. And they were trying to pull it all 21 together. So I hope you can fit yours within this or 22 get somebody to reconcile things because it's been so 23 confusing over the years. It's good to have it 24 clarified.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
69 MS. LAWSON-JENKINS: Okay. I will look at 1
that document. If it hasn't been updated for several 2
years, I won't claim that this -- the definition we 3
currently have now is going to be in there. But I 4
know the definition we have now is very similar if not 5
the same as what defense-in-depth is for the NIST 882 6
which is for industrial control systems. Okay.
7 So they do the same thing saying you have 8
multiple overlapping controls so that if one control 9
fails, you won't have a problem. If you have a 10 vulnerability that has to be addresses in one area, 11 you have diversity that will help with that. So I 12 will look at that.
13 But for the cyber security plan -- and I 14 can understand wanting to have a one size fit all or 15 an inclusive definition. And we can see if the other 16 document possibly could be updated. Be we are in 17 alignment with what NIST says. We're in alignment 18 with the international standards on this also for 19 security.
20 MEMBER BLEY: I guess if it ends up 21 they're separate, I hope you would call it cyber 22 security defense-in-depth to clarify --
23 MS. LAWSON-JENKINS: Okay. That's --
24 (Simultaneous speaking.)
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
70 MEMBER BLEY: -- because the rest of this 1
agency tried to pull all of their definitions together 2
through this document.
3 MS. LAWSON-JENKINS: Fair enough. I 4
understand the comment. Can you, one more time -- I'm 5
sorry. I know there'll be a transcript of this. Can 6
you repeat the document number again for me, please?
7 MR. BEARDSLEY: I have it, Kim. I'm 8
sending it to you in a message.
9 MS. LAWSON-JENKINS: Okay. Thank you.
10 Okay. Next slide, please.
11 MEMBER BROWN: Nope, nope, nope, nope.
12 You said we had considerable discussion on this issue 13 before in the last meeting. We made the comment in 14 rev 0, this bullet completely prohibited communication 15 from assets at lower to higher levels. And so we made 16 the comment this would require basic communication 17 therefore to be bidirectional and software configured 18 so that you could permission by exception and then 19 execute whatever you wanted to with software commands.
20 And the way it was written could be to 21 apply protection, safeguard controls. And so you 22 could have access to anything with this deny all, 23 permit by exception communication from lower to 24 higher. I believe it was you, or maybe it was one of 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
71 the other people talking, went through a considerable 1
discussion about kiosks and other type set ups that 2
you had.
3 And I don't remember all the details. It 4
wasn't elaborated. But you all commented that no, no, 5
no, no, it was not meant to apply, and that you all 6
were going to clarify -- it was only supposed to apply 7
to some specific circumstances and not as we had 8
perceived. I wasn't the only one that made this 9
comment. I think Dave --
10 MS. LAWSON-JENKINS: We haven't gotten to 11 that discussion point yet.
12 MEMBER BROWN: Oh, we haven't? Okay.
13 MS. LAWSON-JENKINS: No.
14 MEMBER BROWN: I just saw it, so --
15 MS. LAWSON-JENKINS: I know. Two more 16 slides, okay? Because I'm --
17 (Simultaneous speaking.)
18 MS. LAWSON-JENKINS: -- going through the 19 slides.
20 MEMBER BROWN: Are you going to do 21 something about that? Is that the point? Okay. All 22 right. Oh, okay. Got it. All right. Thank you. Go 23 ahead, Kim. I'm sorry.
24 MS. LAWSON-JENKINS: No, no, it's fine.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
72 I want to make sure we address every issue. Honestly, 1
I really want to do that. Minimizing the attack 2
surfaces and
- pathways, that for defense of 3
architecture, this is -- I only want to say this is a 4
best practice.
5 This is almost a requirement because it 6
goes into understanding what you have on that system 7
and understanding why it's there and so that services 8
and protocols cannot be used against you as an attack 9
factor or some vulnerability. So the licensees and 10 applicants should remove applications, services, 11 protocols that are not necessary to support the design 12 basis functions and for the CDA. Basically, you 13 eliminate things. You reduce the attack surface.
14 And as I kind of mentioned before, you use 15 implementation of multiple diverse technologies so 16 that it will address the attack surfaces for the 17 environment. And -- okay, we'll talk about this in 18 the next slide too -- that the protections of a 19 defensive architecture are not bypassed or 20 circumvented. Okay. So I'm going through these 21 slides based on the changes we actually made in the 22 document.
23 So the next slide, Mike, okay, is going to 24 address, I believe, the concern or discussion we had.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
73 Next slide, Mike. Yes, this was the information we 1
added after the meeting in October. Okay. For 2
necessary and required -- and this is the exact text 3
-- necessary and required firmware, software, and/or 4
data updates for a digital device, digital asset 5
protected behind the data diode. An acceptable way to 6
implement the update that does not circumvent the data 7
diode protection for wired connections in the 8
architecture is by implementing whatever measures you 9
want to do that does not -- that the update is not 10 verifying and assuring that the update does not 11 contain no malware and the integrity of the update is 12 maintained during transport.
13 Okay. So this is why -- this text would 14 be why no one can just -- first of all, the data diode 15 is there for protecting wired connections, okay, 16 physical wired connections. So no one can say, I want 17 to do a remote update by attaching -- making the 18 connection remotely based on that. You cannot do that 19 because the integrity of the update can't be 20 maintained.
And your bypass is you're 21 circumventing and bypassing the diode detection for 22 wired connections.
23 Okay. The acceptable way that licensees 24 have implemented this is if they've implemented this.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
74 It's if they've implemented the kiosk. They've 1
implemented processes to get the information from a 2
vendor with digital signatures and verifying that 3
there's no malware there and it can be only 4
transported on secure USB devices or DVDs. So they 5
have a process to do this that does not circumvent 6
that wired connection of that data diode.
7 MEMBER BROWN: Kim, I don't disagree with 8
what you said here. What you're effectively talking 9
about, you're now back in the physical access of 10 control. You make sure that anybody that wants to 11 come in on the backside --
12 (Simultaneous speaking.)
13 MS. LAWSON-JENKINS: Physical --
14 MEMBER BROWN: -- coming in through the 15 backside. You want to do --
16 (Simultaneous speaking.)
17 MEMBER BROWN: -- software update and 18 design and change the software. You've got to protect 19 it in transport. You've got to protect it when it's 20 developed at the vendor, and you've got to protect it 21 in a manner how you introduce it into the equipment.
22 MS. LAWSON-JENKINS: Yes.
23 MEMBER BROWN: Very common sense. And 24 that's what that says to me. Is that --
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
75 MR. BEARDSLEY: That is correct.
1 MEMBER BROWN:
Am I
reading that 2
correctly?
3 MR. BEARDSLEY: That is correct.
4 MEMBER BLEY: And I want to go back to one 5
of Charlie's first comments. I'll just point out to 6
you that in your glossary, you don't have data diode.
7 You've got to have data diode in the glossary and 8
explain what it is.
9 MEMBER BROWN: And I want to give you a 10 help on that letter.
11 MS. LAWSON-JENKINS: Okay, okay.
12 MEMBER BROWN:
The data diode is 13 effectively a unidirectional, hardware-based, not 14 configured by software data transmission device.
15 Really easy.
16 MS. LAWSON-JENKINS: Okay.
17 MEMBER BROWN: I mean, if the Committee 18 agrees, that's just -- and you also use the word, one 19 way, in a bunch of places. I don't disagree with 20 that. But it's really synonymous with data diode.
21 And you might want to somehow --
22 (Simultaneous speaking.)
23 MS. LAWSON-JENKINS: Usually why I say one 24 way in the text is usually with one way. And I say 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
76 it's implemented using hardware mechanisms.
1 MEMBER BROWN:
If you've got the 2
extensions on there, that's fine. I thought I saw --
3 but I'm just pointing out is that they're really 4
synonymous.
5 MR. BEARDSLEY: So I think for history's 6
sake when the document was originally developed, it 7
was unclear whether there'll be other technologies 8
that could perform the same task as the data diode.
9 So we define it as a one way deterministic device.
10 Left it to the licensees to figure out how to meet 11 that requirement.
12 They all chose a data diode. So I don't 13 disagree with your point. And defining a data diode, 14 we have the comment. But that's the reason we are 15 where we are today.
16 MEMBER BROWN: Okay.
17 MEMBER BLEY: And that's a very good 18 definition. I don't think anybody would --
19 MEMBER BROWN: No.
20 MEMBER BLEY: -- object to that.
21 MEMBER HALNON: I'm curious about this 22 known malware. I mean, is that a list of stuff that 23 you compare? Or it seems like you wouldn't want any 24 malware much less the known stuff.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
77 MS. LAWSON-JENKINS: This is a common term 1
in cyber security. This is not an NRC term. Okay.
2 There's, in general, two types of malware. Malware 3
that has been identified, there's a signature for it.
4 Security devices can find it, can identify to find it.
5 And then there's clearly what they call the zero day 6
exploits.
7 MEMBER HALNON: Okay. So this is --
8 MS. LAWSON-JENKINS: Things you don't know 9
about.
10 MEMBER HALNON: -- what's physically 11 tossed.
12 MR. BEARDSLEY: So right, remember these 13 words are going to be a license requirement to the 14 licensee. So if we said no malware and the licensee 15 had a zero day that no one knew about and got through, 16 we could theoretically write a violation. And so we 17 termed it this way because we didn't think that was 18 fair. You've got to have other problems than that if 19 it's a zero day.
20 MS. LAWSON-JENKINS: If it's a zero day, 21 that's why they need to minimize the attack surface so 22 that there's less things that the attacker can exploit 23 if they get on your network, if they get on there.
24 MEMBER BROWN: But fundamentally, it comes 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
78 down to all virus detection software is fundamentally.
1 In general, it's reactive.
2 MS. LAWSON-JENKINS: It is reactive.
3 (Simultaneous speaking.)
4 MEMBER BROWN: -- know about it. You 5
store all this stuff in your detection software. But 6
it's reactive. If something new comes up and you see 7
it happening, every day in the newspaper some days, 8
that's the -- what do you call it, a zero day? It's 9
a zero day thing.
10 MS. LAWSON-JENKINS: Yes.
11 MEMBER BROWN: It's a new one. Now oh, 12 now it's caused a problem. Now we're going to put 13 that into our database so that we can protect it.
14 MS. LAWSON-JENKINS: Exactly.
15 MEMBER BROWN: That's why I'm so hard over 16 on this stuff in reality. And I apologize for milking 17 these cow many, many times.
18 MS. LAWSON-JENKINS: If wired connections 19 were the only way malware could get on the network, I 20 would --
21 (Simultaneous speaking.)
22 MEMBER BROWN: Oh, no. Absolutely.
23 (Simultaneous speaking.)
24 MS. LAWSON-JENKINS: Okay, okay.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
79 MEMBER BROWN: If you've got a hardware 1
diode there, it can come in via somebody, bringing in 2
a new software upgrade. That's where the physical 3
protection -- they have to work just like in the old 4
days, physical access, changing set points, doing 5
something to cards. Now you got to make sure the 6
software -- it's like changing out a part. So you've 7
got to make sure that part is a good part. And it's 8
hard to do.
9 MS. LAWSON-JENKINS: So using --
10 MEMBER BROWN: It's very hard.
11 MS. LAWSON-JENKINS: -- a data diode will 12 absolutely reduce the risk as far as licensees are 13 concerned. They rely heavily, heavily on use of a 14 data diode. So from the licensees' point of view, I 15 don't think you'll have a real problem with that.
16 It's more of a design issue. Okay?
17 And I understand this, where you're 18 looking at it from -- especially from the safety point 19 of view. But I know from experience licensees 20 leverage safety requirements. If they did something 21 for safety, they say, well, we take credit for this 22 for security also.
23 That may or may not work depending on the 24 site and the design and things like that. But use of 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
80 one way information flow control, it is vital for 1
protecting systems. There's no doubt about it. We 2
really don't have any disagreement on that. And if 3
you can introduce it effectively in a way early in the 4
process, that is the better way to do it obviously.
5 But it really is going to depend on the design.
6 MEMBER BLEY: On some of these other 7
attacks, I spent some time working with the railroads.
8 And they had a very difficult time when they moved 9
over to digital control of their trains. They were 10 bringing in approved software and apparently by 11 approved vendors.
12 And it was -- had stuff loaded in it. It 13 came in with the upgrades and caused them all kind of 14 problems for a while. I've had it explained to me how 15 our QA is so perfect, that can't happen. It's one I 16 worry about.
17 MS. LAWSON-JENKINS: It is a challenge.
18 It's a challenging problem. Okay. It is challenging 19 because the adversaries change their techniques all 20 the time.
21 MEMBER BROWN: Can I hold --
22 MS. LAWSON-JENKINS: We were talking about 23 24 MEMBER BROWN: Can I hold you up for a 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
81 minute? We're at two hours and 38 minutes into --
1 MS. LAWSON-JENKINS: Oh, sorry, sorry.
2 MEMBER BROWN: -- our 3:00 o'clock time.
3 And it's our fault. It's not your fault. It's not 4
your fault. Do we have a little extra time coming up 5
after this?
6 (Simultaneous speaking.)
7 CHAIRMAN SUNSERI: How much time do you 8
need?
9 MEMBER BROWN: Well, we're at slide 13 of 10
- 28. But I think the last one says questions.
11 MS. LAWSON-JENKINS: No, actually, I left 12 the questions out because I figured you'd be asking 13 all the way through.
14 MEMBER BROWN: If Dennis and I will shut 15 up, we might make it. Really me. I'm going to try to 16 restrain myself from now on. So Kim --
17 MS. LAWSON-JENKINS: I think we --
18 MEMBER BROWN: -- go ahead and --
19 MS. LAWSON-JENKINS: I think we've talked 20 about a lot of these. We will save -- I will breeze 21 through the other ones unless -- I will --
22 MEMBER BROWN: Okay.
23 MS. LAWSON-JENKINS: -- explain them.
24 I'll ask for each one, any questions. And I'll keep 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
82 going.
1 MEMBER BROWN: I'll try to restrain 2
myself.
3 MR. BEARDSLEY: We'll make sure we 4
highlight the ones that reflect the changes.
5 MEMBER BROWN: Exactly. Okay. Go ahead, 6
Kim. Thank you.
7 MS. LAWSON-JENKINS: Next slide, please, 8
Mike. Okay. The use of alternate controls, as I 9
said, that's why we introduce what the intent of the 10 controls were, if the control cannot be implemented.
11 As Jim mentioned earlier, they have to have 12 countermeasures to make sure to be able to detect if 13 there's any problem because just because you didn't 14 think there was going to be a problem doesn't mean an 15 attack can't happen. Next slide, please, Mike. Thank 16 you.
17 Use of consequence-based graded approach, 18 this was just repeating what I said earlier, that the 19 most important devices are at the highest security 20 level. And you should be able to reproduce all the 21 time how you made these decisions. There should be a 22 real process to this and consistency to this applying 23 this approach. In the I-1310, there's some guidance 24 that the industry has put out has been decided as an 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
83 acceptable way of doing this. Next slide, Mike.
1 Okay. You've alluded to this earlier in 2
some of the discussion that we added for technical 3
security controls that we added this text that they 4
can -- during this design certification that the 5
applicants or licensees can incorporate the technical 6
security controls as a part of the nuclear power 7
reactor. The best way to put this is that very 8
rarely, rarely will equipment manufacturers just put 9
in something. They usually do that because it's 10 requested by a customer or they know they need it to 11 be sold to a customer, whatever.
12 So yes, as we mentioned earlier, it's the 13 licensee or the applicant that will receive -- the 14 licensee that will receive the violation. So they 15 need to send the security requirements to the 16 equipment if they're expecting the equipment to 17 perform certain security functions. So that's clear.
18 And for a lot of the technical security 19 controls when we talk about the classes of them, we 20 added information regarding access control, audit and 21 accountability, system and communication protection, 22 authentication identification, and system hardening.
23 Okay, especially the audit. Anyone who knows me in 24 cyber security, I'm a big hawk on being able trace 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
84 what happened with that device from a security point 1
of view.
2 Okay. So we added more explanation about 3
what that's really needed. Okay. But like I said, a 4
lot of that information won't get in unless the 5
guidance is out
- there, whether the equipment 6
manufacturers can read the information or that if 7
information is given to them directly by the 8
licensees. Any questions on this slide?
9 MEMBER BROWN: I'm not going to restrain 10 myself again. It's not a problem except it's somewhat 11 vague. And they're good generalized words, but it's 12 somewhat vague in that the context of -- within the 13 context rather of systems where you can use the 14 conventional cyber protection mode as opposed to those 15 who can't use them.
16 So how you balance, how you apply that, 17 it's not in the context of the old analog to now 18 digital controls. And then some of the digital 19 controls can't have software that does anything other 20 than through the controls. Not quite -- just I don't 21 disagree with the sentence. It's just pops in and 22 it's somewhere in the document there ought to be a 23 differentiation again like I said earlier.
24 Some stuff like safety systems can't have 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
85 it. And other stuff, you can have the traditional 1
mitigation and identification. Then it has more 2
meaning if you have that up front. This is up in the 3
early parts. We'll see what pops out, if anything --
4 MS. LAWSON-JENKINS: Okay. If you --
5 MEMBER BROWN: -- in our report.
6 MS. LAWSON-JENKINS: I was getting ready 7
to say if you have any specific suggestions --
8 (Simultaneous speaking.)
9 MEMBER BROWN: It's not mine. The 10 Committee has to agree.
11 MS. LAWSON-JENKINS: I understand. But 12 like I said, if you look --
13 MEMBER BROWN: I'm just a Lone Ranger down 14 here. Okay. Go on to your slide.
15 MS. LAWSON-JENKINS: Very quickly, the 16 issue, like I said, for the data diode is one control.
17 It's information flow control. Okay? I care about 18 access control in general. I care about auditing. I 19 care about the communication, the type of 20 communication, the encryption if you're going to have 21 any on there, system hardening.
22 There's lots of things in the technical 23 controls I would like to see actually on the device if 24 possible rather than knowing after the fact there's a 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
86 report somewhere that, oh, we may have a problem.
1 Okay. And like I said, the manufacturer is the best 2
entity to do these things correctly and well. So if 3
in the future -- like I said, we'll see what comes out 4
in the next month if you have any specific 5
suggestions.
6 But really I understand the importance of 7
the data diode. And it is important. And we will 8
continue to have it as a part of it. But the 9
sophistication of the equipment, we need to broaden 10 what we think of as technical controls and things that 11 really are important in this --
12 MEMBER BROWN: My point is not a data 13 diode issue. It's more of a functionality issue of 14 the different types of systems you have to deal with.
15 Some you can use software controls. Some you can't 16 introduce because of their safety function. It's not 17 saying what. It's saying you got to differentiate the 18 world. That's all.
19 MS. LAWSON-JENKINS: Okay.
20 MEMBER BROWN: Okay. Go ahead to your 21 next slide. I'll help you move on.
22 MS. LAWSON-JENKINS: Okay. Next slide, 23 Mike. Okay. Incident response, there was a new 24 regulation which is reflected in the guidance. And we 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
87 updated the references for NIST and DHS for incident 1
response. Next slide, Mike. Systems and services 2
acquisitions, these is the Reg Guide 1.152, Revision 3
- 3. The original text said Section 1.2 -- sorry, 4
Section 2.1 to Section 2.6. It should've been to 5
Section 2.5. So that was -- it was a typing error 6
that was corrected.
7 MEMBER BROWN: We can handle that one.
8 (Laughter.)
9 MEMBER BROWN: You can go on. You can go 10 on.
11 MS. LAWSON-JENKINS: Next slide, please, 12 Mike. Okay. It's continuous monitoring. I'm not 13 going to spend a lot of time on this because it's self 14 explanatory in the text. But one of the issues --
15 we're in the maintenance mode phase now for the 16 operating plants.
17 They've all implemented cyber security 18 plants. They have been inspected at least two times.
19 And they've had a lot of information from us. Now 20 they're maintaining their plant. Okay. And they have 21 to make sure it stays effective.
22 And that's what this new text gets to.
23 And it's like I said, I added text -- we added text.
24 They had to do with anomaly detection. And that's 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
88 hard to do if you don't harden the devices. If you 1
have everything on there, you don't know what's new 2
and what's bad.
3 So it really is just to continuously 4
educate the equipment manufacturers and licensees that 5
focus on what you really need on there and then 6
protect accordingly. If you don't want to worry about 7
new vulnerabilities on something that you don't really 8
need, don't have it on the device. Next slide, Mike.
9 Okay. Effectiveness analysis for security 10 controls, this is where we introduce information about 11 metrics because, like I said, we're running out of 12 time. We added a whole new section on metrics. It's 13 optional. Licensees may determine that in a different 14 way, that they want to demonstrate the effectiveness 15 of their program.
16 They may do it as we had in the earlier 17 discussion by saying, okay, we want to do it. We have 18 a model that very closely simulates this. And we can 19 run a test on it to show how we would react to a cyber 20 attack.
21 They can come up with any method they want 22 to do. Okay. But they already have auditing 23 requirements. If you have auditing requirements to 24 get logs, you need to know what those logs mean and 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
89 you come up with metrics that can show how effective 1
your program is. Next slide, Mike.
2 Okay. Maintenance of CDA security 3
assessments. This was a major issue for the plants, 4
and it's paperwork. It is. But they have to 5
understand, as I keep harping on, you have to know 6
what's in your system. You have to know what's in 7
your system is secure.
8 Okay. So therefore, the only thing you 9
have to go by is the assessments of this equipment you 10 have. And it has to reflect what is reality, not what 11 you did ten years ago, not what you did five years 12 ago. It needs to reflect what is there today.
13 So we added information all through the 14 document when any changes were made to the systems.
15 And you have the validations, whatever, that that 16 information is reflected in a security assessment.
17 And it's really important, like I said. The licensee 18 and the regulator needs to understand how these 19 devices are protected and that their controls are 20 still effective. This is one way of doing it, that an 21 objective person could look at this and understand it.
22 MEMBER HALNON: Is this simply, we made a 23 change, we do an assessment? Or is this a full 24 assessment on everything again, over and over again?
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
90 MS. LAWSON-JENKINS: If you make a change, 1
you want to know your change worked, right?
2 MEMBER HALNON: Right. I get that.
3 MS. LAWSON-JENKINS: You want to make sure 4
that you didn't introduce something that --
5 MEMBER HALNON: I'm just saying if you 6
have a system that hasn't been change, do you have to 7
go through an assessment?
8 MS. LAWSON-JENKINS: No, no. If you --
9 there has been no communication with that system.
10 This goes back to the graded approach, okay, and using 11 risk informed security. If you --
12 MEMBER HALNON: That's fine. I got it.
13 I just want to make sure that we weren't asking for a 14 reassessment of --
15 MS. LAWSON-JENKINS: No, no, no. I mean, 16 like I said --
17 (Simultaneous speaking.)
18 MS. LAWSON-JENKINS: -- like I said, this 19 is risk informed security. You have to -- if you have 20 tested and there's nothing there, then why would you 21 need to go back there? This is -- okay.
22 (Simultaneous speaking.)
23 MEMBER HALNON: All right. We're on the 24 same page. We're good.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
91 MS. LAWSON-JENKINS: Okay. Next slide, 1
Mike. Okay. As I said, we added the intent of every 2
control. We added text about reducing or eliminating 3
tech pathways and surfaces. And we aligned with the 4
NIST SP 853, Revision 5. So NIST has had two 5
revisions of their security controls since we've been 6
doing this. Next slide, Mike.
7 Okay. Very briefly, the Reg Guide 5.71, 8
the revision, it's close but not exactly the same as 9
the NEI version. It's like a version of what we have.
10 And some things, actually, we took out. We saw no 11 real need for.
12 Other things, we were in alignment in.
13 We're removed controls. And a few things we left --
14 that we left in our document. And they came up with 15 alternate ways of doing it. And we'll see on 16 inspections whether that really plays out.
17 But the issue is that safety and security, 18 they do have synergy. They work together. But they 19 are different things. They are different. You can 20 have something in for a safety reason and then not 21 meet the need for security. And that's what has to be 22 looked at each time, especially when you're claiming 23 credit for it.
24 MEMBER BLEY: And I guess the key thing 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
92 here is from both sides, we have to make sure the 1
things we do for security don't have a negative impact 2
on safety and vice versa.
3 MS. LAWSON-JENKINS: Well, really, no, 4
it's one way there. The things we do for security to 5
never have a negative impact on safety. Okay.
6 MEMBER BLEY: Well, I suspect it's not one 7
way because some of the safety systems are tied into 8
-- on the cyber side, things are kind of -- in any 9
case, they don't want either one to degrade.
10 MR. BEARDSLEY: There was a safety 11 security interface requirement in the regulations that 12 the licensees have to maintain.
13 MS. LAWSON-JENKINS: Yes.
14 MEMBER BLEY: I wanted to ask about NIST.
15 We keep referring to NIST. Do they have some 16 hierarchical rule over us? Or do we think they're 17 just really good and we want to follow them? Or 18 what's the relationship?
19 MS. LAWSON-JENKINS: Well, one thing is 20 they've been working in this area for quite a while.
21 And the original version of 5.71 was a tailored 22 version of one of the NIST documents. Two of them 23 really.
24 MEMBER BLEY: So it's directly derivative 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
93 from it, yeah.
1 MS. LAWSON-JENKINS: Right, right. So 2
anytime they change the corresponding controls, we 3
look at it to see, do we need to pick up this change?
4 And if not, why? Okay. Sometimes we did. But 5
sometimes we didn't and we had justification on why we 6
decided to change things or not.
7 MEMBER HALNON: Looking at the joint task 8
force, the NRC is not on that joint task force. Are 9
you all planning on becoming a member of that joint 10 task force?
11 MS. LAWSON-JENKINS: For?
12 MEMBER HALNON: For the NIST document.
13 I'm looking at the --
14 MR. BEARDSLEY: We're not on the joint 15 task force. We do review all the NIST changes. We 16 were provided the opportunity to review and comment.
17 And so the level to which those changes are made and 18 the broad breadth in the government, it wouldn't 19 behoove us to give out resources to that.
20 MEMBER HALNON: I mean, you're on the ASME 21 committees and ANS committees and whatnot. This seems 22 pretty impactful to the nuclear industry. It seems 23 like you'd want to be --
24 MR. BEARDSLEY: The changes they make to 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
94 the controls, so those documents have hundreds of 1
controls. We selected maybe 130, 140 of them. So I 2
mean, the chances of them significantly impacting our 3
regulation or our plan are pretty low.
4 MEMBER BLEY: Are there any areas where 5
you've departed from NIST --
6 MR. BEARDSLEY: Yes.
7 MEMBER BLEY: -- intentionally?
8 MR. BEARDSLEY: Yes, we tailored the NIST 9
requirements in Reg Guide 5.71 to meet the industrial 10 control systems. Now industrial control systems, 11 there are NIST standards for industrial control 12 systems now that didn't exist in 2009 when we wrote 13 the Regulatory Guide. But we're not going to go 14 rewrite the Regulatory Guide at this point. That 15 doesn't make sense. We are looking at that level in 16 advanced reactor guidance for the future.
17 MEMBER BLEY: Okay.
18 MS. LAWSON-JENKINS: I just want to make 19 a quick clarification there, 850 -- so 882 did exist.
20 It was a very early version. So we have been tying --
21 if you look at the revisions, we have been tying 853 22 which is the security controls and 882 which are for 23 an industrial control system. We monitor those for 24 revision. Okay.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
95 We don't give input. As Jim said, we give 1
comments if we see anything. But the changes that 2
were
- made, they haven't really changed them 3
significantly. Next slide, please. I think I'll be 4
close to getting towards the end of this. Thank you.
5 Supply chain, for supply chain, we had a 6
lot of -- especially for the developer, a lot of 7
prescriptive controls. I know as a software developer 8
that a lot of integrated design environments where you 9
use -- you don't make those coding mistakes anymore.
10 They won't let you do it.
11 So we clarify. We got rid a lot of the 12 prescriptive language in 12.5 for security testing and 13 then some of the licensee applicant testing. And as 14 I said, we keep adding more text about the attack 15 surfaces and pathways.
16 We updated the glossary. If you have more 17 definitions you would like us to add, please give us 18 that information. And references, we updated those 19 and obviously, like I said, made numerous editorial 20 changes. Next slide, Mike. Okay, next, one more. I 21 should've dropped this one.
22 So like I said, we've had a team working 23 on this draft guidance since 2016. And so we know 24 every sentence, every punctuation. Everything in this 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
96 document, we could defend everything in there.
1 We've had a lot of good people working on 2
this. We put -- like I said, we put it off because 3
public comment in 2018, got a lot of good feedback.
4 We resumed the work in 2020. We finished the two 5
rounds of inspections, and now we're getting close to 6
2022. So next slide, Mike.
7 So what we were like to do is after 8
receiving the feedback to make any last changes, look 9
at your input, and if necessary, make any last changes 10 and issue this draft guidance in January and have a 11 two-month public comment period. Like I said, I 12 anticipate having two public meetings on this, one 13 where we just give out for information and give people 14 time to digest it and then for stakeholders to come in 15 and make comments on it. To use most of 2022 getting 16 it through the NRC process.
17 And then hopefully in the fall, have 18 another brief with ACRS subcommittee and full 19 committee to get this guide ready for publication. So 20 that is the plan. I think that's the last slide, 21 Mike. Oh, one more, one more. Yes.
22 So as Jim as said, the licensees have 23 implemented their programs, and we've provided 24 oversight of those programs. There's no changes in 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
97 the staff position, just clarifications and one new 1
regulations. And as we've been speaking all through 2
this, the world has changed a lot.
3 Ten, twelve years is two lifetimes in 4
cyber security. It's a long time. But the attacks 5
have changed. There are hardware attacks now. We've 6
been talking about software. There are actually 7
hardware attacks now and clearly firmware attacks. We 8
have those.
9 So there's lots of things going on. So we 10 have to adapt with that. We are not just sitting and 11 looking at what was done. We are monitoring the 12 changes that are coming up in the industry. We're 13 looking at -- there are public meetings on these new 14 technologies that are coming in. We are there.
15 I'm really wrapping it up really quickly.
16 I'll be finished in a moment. So if we have anymore 17 questions on that, we can saw what we are actively 18 doing. But right now on a lot of the technology, I 19 think it's Reg Guide 1.152, you talk about the concept 20 phase.
21 And a lot of these designs right now are 22 in the concept phase. And we are listening and 23 understanding the functions they must perform and try 24 to understand how cyber attacks could affect those 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
98 function. So now we're listening and being a part of 1
those discussions.
2 So I know Jim will probably speak on this 3
maybe and if you have a few more questions. But we 4
are not just looking back at what we did, but we are 5
forward looking. And we are busy, not just with the 6
inspections but, as I said, any of the new designs 7
that come up to make sure we have a subject matter 8
expert from cyber who would listen to what's going on 9
so they can understand those designs and understand 10 the impacts on there for cyber.
11 So we're doing our job. I guess the point 12 I want to make here. This isn't just Kim Lawson 13 speaking. It's really Mike Brown and Jim Beardsley 14 and Eric Lee who wrote the original version of 5.71 15 and a lot of people who continue to put a lot of time 16 and effort in this. And like I said, we appreciate 17 the comments. We appreciate the input. And I look 18 forward to receiving them, so --
19 MEMBER BLEY: I have a couple quick 20 questions and a comment. I went back and looked at 21 that Knowledge Management document that I cited. And 22 it appears they try to pick up some cyber security.
23 But I'm not sure if they did much more 24 than read the older version of 5.71. I don't know if 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
99 any of your folks were involved with them. So here's 1
some sections. But they're probably not thorough 2
enough. But it's worth a look.
3 And in Section A-2 which describes the 4
cyber security plan, there's a very clear sentence 5
about achieving high assurance that cite digital 6
assets are computer and communication systems and 7
networks associates with SSEP functions, hereafter 8
defined as Critical Digital Assets, are adequately 9
protected against cyber attacks up to and including 10 the design basis threat. I'm not sure when you talked 11 about risk informing, did you talk at all about risk 12 inform the design basis threat? I hope you do.
13 MR. BEARDSLEY: Okay. Let me just address 14 that for a second because this is actually a major 15 discussion, not only here in the U.S. but across the 16 world. We have elected not to modify the design basis 17 threat on a routine basis based on cyber threats. So 18 the design basis threat in general has a
19 characterization of what a DBT cyber adversary.
20 And we evaluate just like all DBT aspects 21 on an annual basis. And we'll make a recommendation 22 to the Commission. But we have not provided 23 significant definition to that threat or that 24 adversary because it changes so often.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
100 It would become untenable from an 1
administrative point of view.
The licensees 2
understand what the threat it, and they know what they 3
have to meet. But we're not risk informing or 4
managing it.
5 MEMBER BLEY: Okay. But it's defined in 6
a function. I know you can't go into detail. But 7
it's defined in a functional way, I assume.
8 MR. BEARDSLEY: It is defined at a very 9
high level and a functional --
10 (Simultaneous speaking.)
11 MEMBER BLEY: Okay. And I guess I 12 would've hoped there was a risk informing thought to 13 setting as functional criteria. And if not, I wonder 14 why not. We don't have to go into detail.
15 MR. BEARDSLEY: The challenge you have is 16 that the nation state cyber security today is someone 17 in their garage 18 months from now or 3 months from 18 now or 6 months. And trying to define it would be an 19 ongoing administrative burden that not only here in 20 the U.S. but across the world most regulators have 21 found is almost untenable.
22 MEMBER BLEY: So it's more of an umbrella 23 approach. We protect inside by having a good enough 24 umbrella that we're hoping however they come in, we 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
101 catch them.
1 MR.
BEARDSLEY:
That's a
fair 2
characterization.
3 MEMBER BLEY: Okay.
4 MS. LAWSON-JENKINS: While keeping an eye 5
on what's going on inside. You don't assume that only 6
good people are on the inside. And I don't mean 7
inside the threat. I mean that you don't have any 8
malware just because you haven't seen anything bad 9
yet. But you have to keep monitoring.
10 MEMBER BROWN: I just wanted to clarify 11 because I read this thing on design basis threat. And 12 I want to make sure I understand this. A plant has a 13 design basis threat it's supposed to be protected 14 against. Are we saying there's not a cyber threat 15 that's going to affect that and make it worse?
16 MR. BEARDSLEY: We are not saying that, 17 no. What we are saying --
18 MEMBER BROWN: You're not -- okay. Maybe 19 I said that the wrong way.
20 MR. BEARDSLEY: So the design basis threat 21 is defined in the regulation, then we have safeguards 22 level documents that provide more definition to the 23 physical design basis threat.
24 MEMBER BROWN: Exactly.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
102 MR. BEARDSLEY: We have elected not to 1
provide in more significant detail --
2 (Simultaneous speaking.)
3 MEMBER BROWN: That's where I was trying 4
to get to. That's where I was trying to get to.
5 You're not saying there's something out there that 6
could compromise our design -- we're leaving it the 7
way it is.
8 MR. BEARDSLEY: Absolutely.
9 MEMBER BROWN: We're not trying to -- and 10 I'm not saying -- I just wanted to understand it, make 11 sure I got it clearly. Thank you. Kim, you're done?
12 MS. LAWSON-JENKINS: I am done, unless you 13 have anymore --
14 MEMBER BROWN: Okay. Well, thank you very 15 much, young lady. You did a fine job, very patient.
16 That's always appreciated. Let me --
17 MS. LAWSON-JENKINS: And honestly, we 18 appreciate your comments. I mean, every time we have 19 to --
20 (Laughter.)
21 MS. LAWSON-JENKINS: No, no. Seriously, 22 every time we have to discuss how it work, we should 23 defend it. And we're wrong, we need to fix something.
24 So thank you very much for the feedback. Thank you.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
103 MEMBER BROWN: Hopefully, my intent is to 1
provide feedback that doesn't say, take another six 2
months to resolve our concerns.
3 MS. LAWSON-JENKINS: Hopefully, no.
4 MEMBER BROWN: Hopefully, we can be 5
specific enough that if you agree with them, you can 6
just do them. And then you go get your think out in 7
January. That's my goal. Whether I'm successful or 8
not, that depends on my colleagues here somewhat. Any 9
member comments starting on the other side? Dave?
10 Ron? Greg? Joy? Matt?
11 CHAIRMAN SUNSERI: That was a very 12 comprehensive presentation. They did a good job.
13 MEMBER BROWN: Yeah. Vicki? I'm done.
14 Do we go to the phones now during the full committee 15 meeting? I've forgotten.
16 CHAIRMAN SUNSERI: Yes, we do.
17 MEMBER BROWN: I presume the line is open.
18 Is that correct?
19 CHAIRMAN SUNSERI: So yes, if there's any 20 members of the public that wish to make a comment, you 21 can unmute yourself. You can *6, provide your name 22 and your comment.
23 MEMBER BROWN: Hearing none.
24 CHAIRMAN SUNSERI: Yeah, and then I guess 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
104 I would offer the same courtesy to any members on the 1
Teams chat that would like to make a comment. Not the 2
chat, the Teams session.
3 (No audible response.)
4 CHAIRMAN SUNSERI: Okay, nothing. All 5
right.
6 MEMBER BROWN: I got -- can I finish up?
7 CHAIRMAN SUNSERI: Go ahead.
8 MEMBER BROWN: Number one, I want to -- I 9
just want to thank you all. We've had three what I 10 thought very illuminating, providing a lot of 11 information between the September 22nd digital ANC 12 overview where we had extensive discussion, in general 13 on this general subject as well as the October session 14 and again a follow-up today with Kim. And you all did 15 a -- in my own personal opinion, did an excellent job 16 of trying to or even answering our questions.
17 I'm hoping that we -- I have a letter 18 prepared. And it's -- hopefully, I can get through it 19 without asking for the world to be reexamined and have 20 only specific suggestions of which hopefully you will 21 accept. Other than that, if you all have nothing else 22 to add, you have any final thoughts you'd like to say, 23 Jim?
24 MR. BEARDSLEY: Just thank you very much 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
105 for the opportunity.
1 MEMBER BROWN: Okay. Thank you all. It 2
was a good presentation. I really enjoy the back and 3
forth. They're very good for both of us.
4 CHAIRMAN SUNSERI: Yeah.
5 MEMBER BROWN: I'll turn it over to you, 6
Matt.
7 CHAIRMAN SUNSERI: Yeah, I agree, Charlie.
8 I think this session demonstrated the true value of 9
the in-person presentations and interactiveness. The 10 meeting was much more robust than I think I've seen on 11 nearly two years' worth of virtual ones. So thank you 12 all for that.
13 Okay. So at this point then, we're going 14 to take a break. We're going to take a break till 15 let's call it 3:30. At that time, we will complete 16 the day on deliberations by delivering two reports.
17 We're going to start with the Kairos 18 report because it's very near being done. I want to 19 get that one up and down before we get into a longer 20 one, right? And then we'll get into the -- Charlie, 21 you can be prepared to do your read-in. Hopefully, 22 we'll get through major comments and get pretty far 23 along on that one. Yes, Dennis?
24 MEMBER BLEY: Is staff going to provide us 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
106 with hard copies or should I go print my own?
1 CHAIRMAN SUNSERI: Well, I'll take care of 2
that during the break, yeah. All right.
3 MEMBER BROWN: I have a hard copy. The 4
one I sent out to everybody, I printed out.
5 CHAIRMAN SUNSERI: Okay. All right.
6 Thank you. All right then. So we are now in recess 7
until 3:30. Thank you.
8 (Whereupon, the above-entitled matter went 9
off the record at 3:09 p.m.)
10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
KP-NRC-2111-002 Kairos Power LLC www.kairospower.com 707 W Tower Ave, Suite A 5201 Hawking Dr SE, Unit A 2115 Rexford Rd, Suite 325 Alameda, CA 94501 Albuquerque, NM 87106 Charlotte, NC 28211 November 29, 2021 Project No. 99902069 US Nuclear Regulatory Commission ATTN: Document Control Desk Washington, DC 20555-0001
Subject:
Kairos Power LLC Presentation Materials for Kairos Power Briefing to the Advisory Committee on Reactor Safeguards (Full Committee) on KP-FHR Mechanistic Source Term Methodology Topical Report
References:
Letter, Kairos Power LLC to Document Control Desk, KP-FHR Mechanistic Source Term Methdology Topical Report, Revision 1, August 19, 2021, ML21231A290 This letter transmits presentation slides for the November 30, 2021, briefing for the Advisory Committee for Reactor Safeguards (ACRS). At the meeting, participants will discuss the KP-FHR Mechanistic Source Term Methodology Topical Report (KP-TR-012-P) Revision 1, which was submitted via the referenced letter to the Nuclear Regulatory Commission for review and approval.
The content of this information is non-proprietary; Kairos Power authorizes the Nuclear Regulatory Commission to reproduce and distribute the submitted content, as necessary, to support the conduct of their regulatory responsibilities.
If you have any questions or need additional information, please contact Drew Peebles at peebles@kairospower.com or (704) 275-5388, or Darrell Gardner at gardner@kairospower.com or (704) 769-1226.
Sincerely, Peter Hastings, PE Vice President, Regulatory Affairs and Quality
Enclosure:
Presentation Slides for the November 30, 2021, ACRS Kairos Power Subcommittee Briefing xc (w/enclosure):
William Kennedy, Acting Chief, NRR Advanced Reactor Licensing Branch Benjamin Beasley, Project Manager, NRR Advanced Reactor and Licensing Branch Weidong Wang, Senior Staff Engineer, Advisory Committee for Reactor Safeguards
KP-NRC-2111-002 Presentation Slides for the November 30, 2021 ACRS Kairos Power Subcommittee Briefing
Copyright © 2021 Kairos Power LLC. All Rights Reserved.
No Reproduction or Distribution Without Express Written Permission of Kairos Power LLC.
KP-FHR Mechanistic Source Term Methodology Topical Report ACRS Meeting, November 30, 2021
Copyright © 2021 Kairos Power LLC. All Rights Reserved.
Kairos Powers mission is to enable the worlds transition to clean energy, with the ultimate goal of dramatically improving peoples quality of life while protecting the environment.
In order to achieve this mission, we must prioritize our efforts to focus on a clean energy technology that is affordableand safe.
Copyright © 2021 Kairos Power LLC. All Rights Reserved.
No Reproduction or Distribution Without Express Written Permission of Kairos Power LLC.
3 KP-FHR Specifications Uniquely Large Margins Between Operational and Failure Temperatures Parameter Value/Description Reactor Type Fluoride-salt cooled, high temperature reactor (FHR)
Core Configuration Pebble bed core, graphite moderator/reflector, and enriched Flibe molten salt coolant Core Inlet and Exit Temperature 550°C / 600-650°C Design Temperature Limits Value Primary Salt (Flibe) Freezing and Boiling Temperatures 459°C / 1430°C Maximum ASME Section III, Division 5, SS316 Temperature 816°C Peak Fuel Temperature Limit 1600°C Our combination of fuel and coolant provides a uniquely large safety margin.
Copyright © 2021 Kairos Power LLC. All Rights Reserved.
No Reproduction or Distribution Without Express Written Permission of Kairos Power LLC.
4 High Level Approach Source Term Methodology
- Decompose the problem into a series of Material at Risk (MAR) and barrier Release Fractions (RFs) that separate that MAR from a receptor at the site boundary.
- For each barrier, group radionuclides into and model release through that barrier using a representative element for that group.
The barriers for radionuclide release are the TRISO fuel and the Flibe coolant (i.e., functional containment).
Radionuclide groups are used to facilitate transport through barriers.
Unique grouping structures exist for specific release modes (e.g., mechanical grinding of fuel in the PHSS vs diffusion through TRISO barriers).
Copyright © 2021 Kairos Power LLC. All Rights Reserved.
No Reproduction or Distribution Without Express Written Permission of Kairos Power LLC.
5 Sources of Steady State Material at Risk (MAR)
Fuel Assumed to retain FPs and HM Intact Layers Compromised IPyC Layer Compromised OPyC Layer Assumed to release FPs Compromised SiC Layer Exposed Kernel Inservice Failures No Retention of FPs or HM Dispersed Uranium Structures (Graphite + Pebbles)
Tritium C.A. Contamination Circulating Activity Initial Salt Loading
FP and HMC from Fuel Transmutation and Fission Tritium Production Offgas Gases and Vapors Building Tritium Nitrate Tritium Flibe Cleanup Noble Metals
Copyright © 2021 Kairos Power LLC. All Rights Reserved.
No Reproduction or Distribution Without Express Written Permission of Kairos Power LLC.
6 MAR Mobilization in AOOs, DBEs, and DBAs
No incremental fuel failure is expected at temperatures <1600C.
Multiple inherent safety features protect the fuel from achieving high temperatures.
- MAR circulating in the reactor coolant as well as MAR present in other locations (cover gas, intermediate loop, etc) can be mobilized in AOOs, DBEs, and DBAs.
Aerosolization of Flibe - Hypothetical guillotine pipe break or primary pump operations Vaporization-chemical specific evaporation is evaluated across accident temperature profiles Limited release rates are expected from evaporation of soluble radionuclides from Flibe for temperatures below 816C.
- Tritium stored in graphite, pebbles, and structures can be desorbed at elevated temperatures.
Only minor fractions of the total MAR can be mobilized in AOOs, DBEs, or DBAs
Copyright © 2021 Kairos Power LLC. All Rights Reserved.
No Reproduction or Distribution Without Express Written Permission of Kairos Power LLC.
7 AOO, DBE, & DBA Source Term Methodology
- DBA site boundary dose to demonstrate KP-FHR meets dose limits in 10 CFR 50.34, 10 CFR 52.79, and 10 CFR 100.11.
- A technical specification (tech spec) limit will be set on activity in the Flibe, cover gas, and other systems.
The system is designed to preclude incremental fuel failures due to the DBA conditions as evaluated by KP-BISON.
- AOO and DBE source term analyses similar to DBAs, but a more realistic assessment of barriers, mitigation strategies, and initial conditions may be assumed.
- The circulating activity technical specification will be used to inform an operational limit on circulating activity. This operational limit can be used as a more realistic initial condition for normal operation effluent calculations as well as certain AOOs and DBEs.
Copyright © 2021 Kairos Power LLC. All Rights Reserved.
No Reproduction or Distribution Without Express Written Permission of Kairos Power LLC.
8 Radionuclide Grouping and Transport Approach
- Transport of radionuclides through each medium is evaluated on an RN group basis using the following steps:
- 1. Individual isotopes are combined into RN group for each barrier.
- 2. Release fractions of each RN group associated with that medium is calculated given driving forces (e.g., temperature, pressure).
- 3. Release fractions are combined with the relevant inventories to determine the quantity of material that is mobilized. That incoming material is then:
1.
Combined with the radionuclides already present in the next barrier and then 2.
Regrouped for subsequent mobilization
- 4. The dose consequences for radionuclides that are transferred into the gas space are evaluated with RADTRAD and ARCON.
LWR Example
Copyright © 2021 Kairos Power LLC. All Rights Reserved.
No Reproduction or Distribution Without Express Written Permission of Kairos Power LLC.
9 Limitations 1.
Approval of KPBison for use in fuel performance analysis as captured in KP-TR-010-P (KP-FHR Fuel Performance Methodology).
2.
Justification of thermodynamic data and associated vapor pressure correlations of representative species.
3.
Validation of tritium transport modeling methodology.
4.
Confirmation of minimal ingress of Flibe into pebble matrix carbon under normal and accident conditions, such that incremental damage to TRISO particles due to chemical interaction does not occur as captured in KP-TR-010-P (Fuel Qualification Methodology for the KP-FHR).
5.
Establishment of operating limitations on maximum circulating activity and concentrations relative to solubility limits in the reactor coolant, intermediate coolant, cover gas, and radwaste systems that are consistent with the initial condition assumptions in the safety analysis report.
6.
Quantification of the transport of tritium in nitrate salt and between nitrate salt and the cover gas 7.
The phenomena associated with radionuclide retention discussed in this report is restricted to molten Flibe.
The retention of radionuclides in solid Flibe is beyond the scope of the current analysis.
8.
The methodology presented in this report is based on design features of a KPFHR (details provided in report).
Deviations from these design features will be justified by an applicant in safety analysis reports associated with license application submittals.
NRC Staff Evaluation of the KP-FHR Mechanistic Source Term Methodology, Revision 1 Michelle Hart Senior Reactor Engineer Office of Nuclear Reactor Regulation Presentation to the ACRS November 30, 2021
Introduction
- KP-FHR Mechanistic Source Term Methodology topical report, KP-TR-012, Revision 1 (August 2021)
- Applicable to Kairos Power fluoride salt cooled, high temperature reactor (KP-FHR) designs
- Including a nuclear test reactor and commercial power reactors
- Methodology to develop event-specific radiological source terms and short-term atmospheric dispersion values for EAB and LPZ at distances less than 1,200 meters
- DBAs for siting and safety analysis
- AOOs and DBEs for use in NEI 18-04 methodology to categorize events, classify SSCs, and evaluate defense-in-depth
- Does not address source terms and atmospheric dispersion for normal operation and effluents, BDBEs, or control room habitability November 30, 2021 2
Staff Review Focus
- Staff review focused on the bases for models in the methodology
- Radionuclide transport and retention in the fuel, Flibe, gas space and buildings
- Tritium production, transport and retention
- Aerosol formation and deposition
- Near-field atmospheric dispersion and use of ARCON96 November 30, 2021 3
Mechanistic Source Term Approach Methodology develops MSTs by evaluating sources of radioactive materials at risk of release (MAR) and release fractions for each barrier that contains the MAR DBA MSTs are developed crediting only the TRISO particle and Flibe coolant radionuclide retention as the KP-FHR functional containment MSTs for AOOs and DBEs are developed using a more realistic accounting of radionuclide barriers Staff finds the MST approach acceptable because it is consistent with
- Safety analysis regulatory requirements
- Discussion of MSTs in SECY-93-092 and RG 1.233
- Description of functional containment in SECY-18-0096 November 30, 2021 4
Vaporization of Radionuclide from Flibe
- The NRC staff finds the methodology acceptable because of conservative assumptions and KP-FHR design features November 30, 2021 5
Conditions and Limitations
- Kairos Power proposed 8 limitations on use of the TR, which were acceptable to the Staff
- Includes relationships to other Kairos Power TRs under review
- KP-FHR fuel performance methodology TR and use of KP-Bison computer code
- KP-FHR fuel qualification methodology November 30, 2021 6
Conditions and Limitations
- The Staff imposed two additional conditions and limitations
- #9: Use of the methodology is limited to the KP-FHR design. The combination of TRISO and Flibe allows for assumptions that may not be valid for liquid-fueled MSRs.
- #10: Applicant to provide information to justify that the calculation of tritium absorption onto graphite is not sensitive to the assumptions on tritium diffusivity and solubility in Flibe.
November 30, 2021 7
Changes to SE
- Changes made to the SE since issuance of Draft SE do not impact the NRC staff conclusions November 30, 2021 8
Staff Conclusions
- KP-TR-012, KP-FHR Mechanistic Source Term Methodology, Revision 1, provides an acceptable methodology for development of event-specific mechanistic source terms for use by KP-FHR designs in offsite radiological consequence analyses for AOOs, DBEs, and DBAs
- Staff approvals are subject to the Limitations and Conditions of the SE November 30, 2021 9
Acronyms and Definitions AOO anticipated operational occurrence ARCON96 Atmospheric Relative Concentrations in Building Wakes computer code BDBE beyond design basis event DBA design basis accident DBE design basis event EAB Exclusion Area Boundary Flibe salt mixture of lithium fluoride (LiF) and beryllium fluoride (BeF2)
KP-FHR Kairos Power Fluoride-Salt Cooled High Temperature Reactor LPZ Low Population Zone MAR materials at risk for release MSR molten salt reactor MST mechanistic source term NEI Nuclear Energy Institute RG regulatory guide SE safety evaluation SECY Commission paper SRM staff requirements memorandum SSCs structures, systems, and components TR topical report TRISO Tristructural isotopic November 30, 2021 10