ML22130A736
| ML22130A736 | |
| Person / Time | |
|---|---|
| Issue date: | 05/10/2022 |
| From: | Michael Brown NRC/NSIR/DPCP/CSB |
| To: | |
| Brown M | |
| References | |
| Download: ML22130A736 (20) | |
Text
U.S NUCLEAR REGULATORY COMMISSION (NRC)
CYBER SECURITY OVERSIGHT PROGRAM OVERVIEW FOR THE POLISH REGULATORS Michael Brown, CISSP Michael.brown@nrc.gov Cyber Security Branch (CSB)
Division of Physical and Cyber Security Policy (DPCP)
Office of Nuclear Security and Incident Response (NSIR)
AGENDA Brief History of Cyber Security at the NRC 10 CFR 73.54 - Cyber Rule and Guidance Cyber Security Full Implementation Inspections Cyber for the AP1000 2
2002 ->
2002 ->
2001
<- 2008
<- 2008 2010 2010 2013 2013 2015 2015 2016 2016 Cyber Security Implementation Inspections Cyber Security Implementation Inspections 2017 NPP CSPs &
Implementation Schedules Approved The Cyber Rule 10 CFR 73.54 Issued 2012 2012 9/11 Terrorist Attack MS 1 - 7 Inspections NRC & Industry collaborative work on implementation guidance SFAQs, NEI 13-10, workshops, tabletops, CSP addendums Full Implementation Inspections started Overview of US NRC Cyber Security Program Cyber Security Program History 3
2009 Cyber Security Assessments NRC & Industry work to assess and address cyber security at NPPs RG 5.71 & NEI 08-09 Implementation Guidance
4 Future of US NRC Cyber Security Program 2018 2018 Baseline Inspection Program continues Baseline Inspection Program continues 2017 Full Implementation Inspections Started Full Implementation Inspections at all Licensee Sites Full Implementation Inspections Completed Biennial Baseline inspections start 2019 2019 2020 2020 2021 2021 2022 2022 4
SM1 BM3
Slide 4 SM1 missing the slide number on slide 4 Sampson, Michele, 4/18/2022 BM3 Added slide number Brown, Michael, 4/20/2022
High assurance that digital computer and communication systems and networks are adequately protected against cyber attacks Cyber Security Program Implementation Requirements at NewRx and OpRx Focus: Prevention of Radiological Sabotage 5
10 CFR 73.54 Protection of Digital Computer
& Communication Systems and Networks
- Op Rx and license applicants must have a Cyber Security Plan
- Protect digital computer and communication systems and networks associated with
- Safety, Security & Emergency Preparedness (SSEP) functions
- Support systems and equipment which, if compromised, would adversely impact SSEP functions
- Protect from cyber attacks that adversely impact
- Integrity or confidentiality of data and/or software
- Deny access to systems, services, and/or data
- Operation of systems, networks, & associated equipment 6
1.
Cyber Security Assessment Team 2.
Identify Critical Digital Assets (CDAs) 3.
Implement Defensive Architecture 4.
Apply Security Controls to CDAs Implementation Guidance 5/25/2022 7
- 5. Cyber Security Program Must Include These Areas to Support Implementation
Generic Defensive Architecture 8
Internet Corporate Network Site Network Security /
Safety Systems One-way Deterministic Device
IAEA Guidance Documents US nuclear plants typically use either NEI 08-09 or RG 5.71 for guidance in developing their cybersecurity programs Most International plants use IAEA guidance in developing their cybersecurity programs.
- IAEA Nuclear Security Series (NSS) No. 13 Nuclear Security Recommendations on Physical Protection of Nuclear Material and Nuclear Facilities
- Provides guidance on physical protection of facilities and transportation
- NSS No. 23-G Security of Nuclear Information
- Provides guidance on securing information
- Provides different classifications for information (e.g.
secret, confidential, etc.)
9
IAEA Guidance Documents
- NSS No. 42-G Computer Security for Nuclear Security
- Provides implementing guidance for computer security
- Provides recommendations for different security levels
- NSS No. 17-T Rev 1 Computer Security Techniques for Nuclear Facilities
- Provides technical guidance on how to setup your computer security program and the security requirements for different security levels 10
- Inspection Procedure IP 71130.10P
- Team Composition (4 inspectors)
- Regional Inspector Team Lead
- Regional Inspector
- 2 Cyber Security Subject Matter Experts (Contractor SMEs)
Inspectors
- The initial round of full implementation inspections were completed in 2021
- These inspections consisted of a week onsite followed by an offsite week, followed by a 2nd week onsite NRC Lead inspector NRC inspector 2 NRC Contractors HQ Support staff Available (remotely) to the team as needed Full Implementation Inspection Resources 11
Inspection Procedure 71130.10P 12 Programmatic Technical Cyber security program & training Access control/media and portable device protection:
Policies & procedures, CDAs, Networks, Portable Media Devices, Controls login, authentication, wireless Attack mitigation, incident response, and contingency planning Program monitoring, assessment, configuration, and change management CDA and communications protection Protocols, passwords, shared resources, Denial-of-Service protection, digital certificates, information protection, encryption, removal of unnecessary services, OS Systems/services acquisition and supply chain protection Review changes to the cyber security plan Defense-in-depth, detection, and response Hardware configuration, intrusion detection system, malicious code protection, monitoring tools, information flow enforcement Cyber security event reporting Identification and resolution of problems 12
Cyber Security During Construction
- NEI 08-09 Addendum 3 provides guidance on System and Services Acquisition (Supply Chain) and discusses some of the following:
- Maintaining custody and control of device from vendor to installation
- Many components at Vogtle were shipped without software installed and software was installed during system turnover
- Requirements for tamper proof products or tamper seal on acquired products
- Establishment of trusted distribution paths to ensure traceability
- Integration of security capabilities
- The best time to add security features is during the design and construction of a product, not as an add on after construction
- Licensee testing
- Licensee should always test products prior to installation 13
Cyber Security During Construction
- A good practice is to store safety related and important to safety CDAs in a secured storage areas prior to their installation in the plant to minimize any unauthorized access to them
- These areas should be access controlled to minimize unnecessary traffic to them 14
Cyber Security For the AP-1000
- A major difference between the AP-1000 and current nuclear fleet in the USA is the shear number and complexity of digital components
- Most of the nuclear plants in the USA were designed in the 60s and built in the 70s and 80s.
- The old nuclear fleet relied on relays, analog controllers (4-20ma),
sensors and switches for operation
- Analog equipment is typically not susceptible to cyber disruption - (e.g.
you turn a hand switch and the rods fall into the core)
- The AP 1000 relies on a digital network for communication
- Much faster and more efficient, however, more susceptible to cyber disruption 15
Data Highway for the AP-1000 16
Picture of Current Control Room 17
Picture of AP-1000 Control Room 18
Questions 19