Text

U.S.A. Regulatory Efforts for Cyber Security of Advanced Reactors Juris Jauntirans Cyber Security Specialist U.S. Nuclear Regulatory Commission Ismael Garcia Senior Level Advisor, Cyber Security and Digital Instrumentation and Control U.S. Nuclear Regulatory Commission Michael T. Rowland Sandia National Laboratory IAEA Technical Meeting on Instrumentation and Control and Computer Security for Small Modular Reactors and Microreactors February 21-25, 2022

Draft Cyber Security Requirements for Advanced Reactors 2

Background -

Power Reactors Cyber Requirements Found in 10 CFR 73.54 Protect digital assets that perform specified functions Protect from cyber attacks up to an including a DBT 3

Proposed New Cyber Requirements 4

10 CFR Part 53 development for Advanced Reactors Preliminary Proposed Rule Language Publicly Available New Cyber Requirements in Proposed Rule

Preliminary Proposed Cyber Requirements 5

Reference:

Part 73.110, "Technology Neutral Requirements for Protection of Digital Computer and Communication Systems and Networks, ADAMS Accession Number ML21308A026

10 CFR 73.110 Draft Regulatory Guide Concepts 6

Draft Regulatory Guide Development 7

An acceptable approach for meeting the 10 CFR 73.110 requirements Effective guidance to support a performance-based regulatory framework Leverage IAEA and IEC security approaches

Draft Regulatory Guide -

Three-Tier Analysis Approach 8

Facility Level Function Level System Level

Important Terminology CEAS: Cyber-Enabled Accident Scenario CEIS: Cyber-Enabled Physical Intrusion Scenario 9

Evaluate DB and PPS for protection against CEAS and CEIS START -

Existing Safety and Security Analyses DB elements and PPS features ensure that potential cyber attacks do not result in 10 CFR 73.110(a) consequences Update DB and/or PPS CEAS or CEIS result in 10 CFR 73.110(a) consequences?

Security By Design Feasible?

Yes No Yes No Develop Adversary Functional Scenarios DB - Design Basis PPS-Physical Protection Systems CEIS-Cyber Enabled Intrusion Scenario CEAS-Cyber Enabled Accident Scenario 10 Overview of Draft Regulatory Guide Performance-based/Risk Informed Approach Facility Level Function Level

Do unmitigated Adversary Functional Scenarios remain?

Passive Defense Feasible?

Specify CSP and DCSA elements (e.g.,

prohibitions, passive/deterministic devices) to eliminate or mitigate attacks No Yes No Yes Document CSP and DCSA elements required to prevent credible cyber attack scenarios CSP-Cyber Security Plan DCSA-Defensive Computer Security Architecture 11 Optional Overview of Draft Regulatory Guide Performance-based/Risk Informed Approach (Cont.)

Function Level

Identify Critical Functions and Systems Document CSP and DCSA elements, including cyber security controls, needed to protect against cyber attacks Develop or Update Adversary Technical Sequences Specify active CSP and DCSA elements (e.g., detection and response systems) and System Cyber Security Controls Unmitigated Sequences?

Yes No CSP-Cyber Security Plan DCSA-Defensive Computer Security Architecture 12 Overview of Draft Regulatory Guide Performance-based/Risk Informed Approach (Cont.)

System Level

Future Work Continue work on Proposed Cyber Requirements and draft Regulatory Guide Inclusion in Part 53 rulemaking package 13

14