ML22333A856
| ML22333A856 | |
| Person / Time | |
|---|---|
| Issue date: | 11/29/2022 |
| From: | Michael Brown NRC/NSIR/DPCP/CSB |
| To: | |
| References | |
| Download: ML22333A856 (18) | |
Text
NRC Regulatory Framework and Guidance Michael Brown, CISSP Cyber Security Branch (CSB)
Division of Physical and Cyber Security Policy (DPCP)
Office of Nuclear Security and Incident Response (NSIR)
Michael.brown@nrc.gov 1
2 Overview of US NRC Cyber Security Program NRC Issues various Orders &
Guidance Documents for NPPs to address the Physical
& Cyber Threat Industrys Voluntary Implementation of an Interim Cyber Security Program NRC Conducts Assessment Visits Development of the Cyber Rule 10 CFR73.54 for NPPs Development of the Cyber Rule 10 CFR73.54 for NPPs DBT Update DBT Update Public Law 109-58 Energy Policy Act 2005 Updated DBT 10 CFR 73.1
High assurance that digital computer and communication systems and networks are adequately protected against cyber attacks Cyber Security Program Implementation Requirements at NewRx and OpRx Focus: Prevention of Radiological Sabotage 3
10 CFR 73.54 Protection of Digital Computer
& Communication Systems and Networks
10 CFR 73.54 Protection of Digital Computer &
Communication Systems & Networks
- Op Rx and license applicants must submit a Cyber Security Plan by November 2009
- Protect digital computer and communication systems and networks associated with
- Safety, Security & Emergency Preparedness (SSEP) functions
- Support systems and equipment which, if compromised, would adversely impact SSEP functions
- Protect from cyber attacks that adversely impact
- Integrity or Confidentiality of data and/or software
- Deny access to systems, services, and/or data
- Operation of systems, networks, & associated equipment 4
- The licensee shall:
- Analysis of equipment that needs to be protected (SSEP)
- Establish, implement, and maintain a cyber security program for the protection of the assets identified
- The Cyber Security Program is designed to:
- Implement security controls to protect the assets
- Apply & maintain Defense-In-Depth
- Detect, respond, & recover from cyber attacks
- Mitigate adverse effects of a cyber attack
- Maintain SSEP functions 5
10 CFR 73.54 Protection of Digital Computer &
Communication Systems & Networks
6 1.
Cyber Security Assessment Team 2.
Identify Critical Digital Assets (CDAs) 3.
Implement Defensive Architecture 4.
Apply Security Controls Regulatory Guide 5.71, Cyber Security Program for Nuclear Facilities 4
Most Risk Significant CDAs
- Similar to RG 5.71, NEI 08-09 (ML17079A423) provides guidance to licensees on meeting the requirements of 10 CFR 73.54:
- Approved for use by the NRC
- Provides guidance to establish, implement, and maintain a cyber security program for the protection of the assets identified
- Implement security controls to protect the assets
- Apply & maintain Defense-In-Depth
- Detect, respond, & recover from cyber attacks
- Mitigate adverse effects of a cyber attack
- Maintain SSEP functions 7
NEI 08-09, Rev. 6 - Cyber Security Plan for Nuclear Power Reactors
- By having an NEI document that provides approved guidance to on meeting the requirements of 10 CFR 73.54 provides licensees with a number of advantages:
- Changes to the document may be done by NEI vs. the NRC
- Additional guidance has been issued in a number of areas
- Addendum 2 (ML17212A634) provides guidance on cyber attack detection, response and elimination
- Addendum 3 (ML17236A269) provides guidance on supply chain
- Addendum 4 (ML17236A270) provides guidance on assets outside the protected area
- Addendum 5 (ML18212A282) provides guidance on vulnerability management 8
NEI 08-09, Rev. 6 - Cyber Security Plan for Nuclear Power Reactors
- NEI 10-04 (ML21342A168) provides guidance to the licensees on the identification of equipment that is subject to the requirements of 10 CFR 73.54:
- Provides a methodology to the licensees for identifying different types of assets that need to be protected:
- Safety Related and Important to Safety Assets
- Security Assets
- Balance of Plants Assets and
- Assets associated with Emergency Preparedness Functions 9
NEI 10-04, Rev. 3 - Identifying Systems and Assets subject to the Cyber Security Rule
- NEI 13-10 (ML21342A203) provides guidance to the licensees on how to protect Critical Digital Assets (CDAs)
- Provides guidance on controls that are required based on how a CDA was classified using the methodology from NEI 10-04 or the consequences of the loss of the CDA:
- Safety Related and Important to Safety Assets
- Security Assets
- Balance of Plants Assets and
- Assets associated with Emergency Preparedness Functions 10 NEI 13-10, Rev. 7 - Cyber Security Control Assessments
- Attempts to risk inform by doing a consequence assessment of the critical digital asset (CDA):
- More important assets need more controls
- Balance of Plant CDA
- Indirect CDAs
- Direct CDAs - need most controls 11 NEI 13-10, Rev. 7 - Cyber Security Control Assessments
- Appendix D also provides guidance on controls that are required based on the functionality of the CDA:
- Many controls cannot be installed on lower functioning devices
- Class A.1 CDA - Low functionality, Direct impact
- Example - Rosemount 3153N Digital Transmitter
- Classes go from A.1 to B.3 based on the functionality of the device.
- Example of a B.3 CDA - Modicon Quantum PLC with Modbus-plus communications 12 NEI 13-10, Rev. 7 - Cyber Security Control Assessments
13 Overview of US NRC Cyber Security Program RG 5.71 & NEI 08-09 Implementation Guidance Acceptable for Use NRC & Industry collaborative work on implementation guidance:
- Security Frequently Asked Questions (SFAQs)
- NEI 13-10 Assessment of Security Controls
- NRC Participates in Industry Workshops & Tabletops to assess inspection procedure
- Development of Additional Guidance for Implementation Schedules 2010 2010 2009 2011 2011 2013 2013 2014 2014 2015 2015 2016 2016 Cyber Security Implementation Inspections Cyber Security Implementation Inspections 2017 Industrys Interim Implementation Schedule MS 1 - 7 Inspections Industrys Interim Implementation Schedule MS 1 - 7 Inspections All NPPs Cyber Security Plans &
Implementation Schedules Approved Pilot Inspections Conducted at 2 NPPs NRC & Industry agree on MS 1 - 7 Implementation Schedule 2012 2012 NRC Cyber Security Notification Rule 10 CFR 73.77 Full Implementation
14 Future of US NRC Cyber Security Program 2018 2018 Baseline Inspection Program continues Baseline Inspection Program continues 2017 Full Implementation Inspections Started Full Implementation Inspections at all Licensee Sites Full Implementation Inspections Completed Biennial Baseline inspections start 2019 2019 2020 2020 2021 2021 2022 2022 SM1 BM1
Slide 14 SM1 missing the slide number on slide 4 Sampson, Michele, 4/18/2022 BM1 Added slide number Brown, Michael, 4/20/2022
Baseline Inspection procedure changes
- Procedure is now part of the ROP (Reactor Oversight Process).
- Inspection reduced from a two-week inspection to a one-week inspection.
- Inspection to be conducted every two years.
- Focus of inspection changed:
- From - has licensee properly implemented their cybersecurity program?
- To - Is the licensee properly maintaining their cybersecurity program?
15
Cyber Security Notification Rule, 10 CFR 73.77
- Effective on December 2, 2015
- Implementation date - May 2, 2016
- Requires licensees to notify NRC of certain cyber incidents within timelines based on the severity of the incident.
- Associated Guidance:
- NRC Regulatory Guide 5.83
- NEI Guidance Document (NEI 15-09)
- The NRC has received no 10 CFR 73.77 notifications to date 16
Questions 17