Text

A WEEK AT THE NRC 2022 Office of Nuclear Security and Incident Response (NSIR)

Division of Physical and Cyber Security Policy (DPCP)

Mario R. Fernandez Jr., Cyber Security Specialist (CSB)

NRC Cyber Security Oversight Program for Operating Reactor Licensees and New Reactor Applicants

2 What is Cyber Security?

Activity: Question & Answer Session Action(s) taken to protect Information and Information Systems from cyber attacks.

3 What is a Cyber Attack?

Activity: Question & Answer Session In general terms, any type of offensive maneuver that targets computer information system(s) with the objective to gain access or to tamper with it.

4 Cyber Attack Examples Unauthorized access, use, disclosure https://curtisthementalist.com/have-you-been-hacked/

5 Cyber Attack Examples Modification https://www.youtube.com/watch?v=32JgSJYpL8o

6 Cyber Attack Examples Disruption https://www.youtube.com/watch?v=zcmmFQGxMNU

7 Why Does the NRC care?

Activity: Question & Answer Session

Nuclear Power Plants Are Becoming More Digitized!

8 AP1000 and Westinghouse DCS Control Room Analog Systems Supervisory Control and Data Acquisition Systems (SCADA)

Activity: Question & Answer Session

Nuclear Power Plants Are Becoming More Digitized!

9 Digital Indicators Digital Relays Digital Recorders Programmable Logic Controller (PLC)

Bus Air Breakers Industrial Control Systems (ICS)

Digital Instrumentation and Control (Digital I & C)

10

1. Wired

2. Wireless

3. Mobile Media

5. Physical Access

4. Supply Chain Attack Pathways Attack Landscape Digitized Equipment = Vulnerabilities and Threats Two Main Controllers

11 Digital devices, systems are used in:

Safety and Important-to-Safety, Security, and Emergency Preparedness Functions Digitized Equipment = Vulnerabilities and Threats Digitized Equipment Vulnerabilities and Threats SSEP Functions

=

Two Main Controllers

12 So Why does the NRC Care?

The NRC licenses and regulates the Nation's civilian use of radioactive materials to provide reasonable assurance of adequate protection of public health and safety and to promote the common defense and security and to protect the environment.

13 NRC Regulatory Process

1. Rulemaking:

Development of Cyber Security Requirements

3. Oversight: Inspections

2. Licensing: Review & Approval Cyber Security Plans

In NRC terms: 10 CFR 73.54 - Cyber Regulations 14

In NRC terms: 10 CFR 73.54 - Cyber Rule 15

Cyber Security Program Defense-in-depth and Security Controls 16 Internet Corporate Network Site Network Security, Safety Systems

17 What is a security control Safeguard or countermeasure prescribed for an information system designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements.

Cyber Security Program Defense-in-depth and Security Controls

18 Security Control Examples Updates Encryption Portable Media &

Devices

19 Security Control Examples Intrusion Detection Systems (IDS)

Supply Chain Physical Access Authorized Applications

20

• What is cyber security?

• What is a cyber attack?

• Vulnerabilities & threats

• What is the NRCs mission and responsibilities?

• What is Defense-in-depth?

• What is a security control?

Summary

21 Last Thoughts