Text

IAEA Technical Meeting on Instrumentation and Control and Computer Security for Small Modular Reactors and Microreactors February 21-25, 2022 U.S.A. Regulatory Efforts for Cyber Security of Advanced Reactors Juris Jauntirans Ismael Garcia Michael T. Rowland Cyber Security Specialist Senior Level Advisor, Cyber Security and Sandia National Laboratory U.S. Nuclear Regulatory Commission Digital Instrumentation and Control U.S. Nuclear Regulatory Commission

Draft Cyber Security Requirements for Advanced Reactors 2

Background - Found in 10 CFR 73.54 Power Reactors Protect digital assets that perform Cyber specified functions Requirements Protect from cyber attacks up to an including a DBT 3

Proposed New Cyber Requirements 10 CFR Part 53 Preliminary New Cyber development for Proposed Rule Requirements in Advanced Reactors Language Proposed Rule Publicly Available 4

Preliminary Proposed Cyber Requirements

Reference:

Part 73.110, "Technology Neutral Requirements for Protection of Digital Computer and Communication Systems and Networks, ADAMS Accession Number ML21308A026 5

10 CFR 73.110 Draft Regulatory Guide Concepts 6

Draft Regulatory Guide Development An acceptable Effective guidance Leverage approach for to support a IAEA and IEC meeting the performance- security 10 CFR 73.110 based regulatory approaches requirements framework 7

Facility Level Draft Regulatory Guide -

Function Level Three-Tier Analysis Approach System Level 8

CEAS: Cyber-Enabled Accident Scenario Important Terminology CEIS: Cyber-Enabled Physical Intrusion Scenario 9

Overview of Draft Regulatory Guide Performance-based/Risk Informed Approach START -

Existing Safety and Security Analyses Evaluate DB and PPS for Update protection against CEAS DB and/or PPS and CEIS Facility Level Yes CEAS or CEIS Security result in 10 CFR By 73.110(a) Yes Design consequences? Feasible?

No No DB elements and PPS features ensure that potential cyber attacks do Develop Adversary not result in 10 CFR 73.110(a) Functional Scenarios Function consequences Level DB - Design Basis PPS- Physical Protection Systems CEIS- Cyber Enabled Intrusion Scenario CEAS- Cyber Enabled Accident Scenario 10

Overview of Draft Regulatory Guide Performance-based/Risk Informed Approach (Cont.)

Specify CSP and DCSA elements (e.g.,

prohibitions, passive/deterministic devices) to eliminate or mitigate attacks Yes Function Do unmitigated Level Passive Yes Adversary Defense Functional Feasible? Scenarios remain?

No No Document CSP and DCSA Optional elements required to prevent credible cyber attack scenarios CSP- Cyber Security Plan DCSA- Defensive Computer Security Architecture 11

Overview of Draft Regulatory Guide Performance-based/Risk Informed Approach (Cont.)

Identify Critical Functions and Systems Develop or Update Adversary Technical Sequences System Level Specify active CSP and DCSA elements (e.g., detection and response systems) and System Cyber Security Controls Document CSP and DCSA Yes Unmitigated No elements, including cyber Sequences? security controls, needed to protect against cyber attacks CSP- Cyber Security Plan DCSA- Defensive Computer Security Architecture 12

Continue work on Proposed Cyber Requirements and draft Future Regulatory Guide Work Inclusion in Part 53 rulemaking package 13

14