ML23004A162
| ML23004A162 | |
| Person / Time | |
|---|---|
| Issue date: | 01/04/2023 |
| From: | Dan Warner NRC/NSIR/DPCP/CSB |
| To: | |
| References | |
| Download: ML23004A162 (15) | |
Text
NRC Regulatory Countermeasures to Cyber Threats Dan Warner, CISSP Cyber Security Branch (CSB)
Division of Physical and Cyber Security Policy (DPCP)
Office of Nuclear Security and Incident Response (NSIR)
Daniel.Warner@nrc.gov 1
2 Overview of US NRC Cybersecurity Program NRC issues various order and guidance to address cyber threat 2002-04 2002-04 2010 2010 2013-15 2013-15 Baseline inspections continue Baseline inspections continue 2017 Voluntary implementation of interim cybersecurity program 2005-07 2005-07 Biennial baseline inspections start Full Implementation 2009 10 CFR 73.54 Cybersecurity Rule issued RG 5.71 and NEI 08-09 implementation guidance approved All NPPs Cyber Security Plans (CSPs) approved.
Interim implementation inspections conducted Full implementation inspections conducted 2017-21 2017-21 2022 2022
High assurance that digital computer and communication systems and networks are adequately protected against cyberattacks.
Cybersecurity program implementation requirements at operating and new reactors.
Focus: Prevention of Radiological Sabotage 3
10 CFR 73.54 Protection of Digital Computer
& Communication Systems and Networks
Generic Defensive Architecture 4
Internet Corporate Network Site Network Security /
Safety Systems One-way Deterministic Device
Attack Pathways
- 1. Physical access Protected by alarmed fence with cameras and armed security force.
- 2. Wired communications Nuclear power plants critical digital assets are isolated from the internet by either a data diode which only allows one way communication (from the plant to the internet) or air gapped (no communication allowed)
- 3. Wireless communications Not allowed for any safety critical digital assets
- 4. Portable media/device connectivity Plants have a portable media program that specifies controls that must be followed.
- 5. Supply chain Plants have a supply chain program that specifies controls that must be followed 5
Additional Discussion Topics
- Latest technologies implemented
- Wireless communications/surveillance systems
- Guidelines for saving surveillance camera data
- Dedicated personnel on site for cyber attacks 6
Questions 7
Backup slides If needed 8
Physical Access - Attack Pathway Protection against physical access cyberattacks includes physical security measures such as:
- Protected area is surrounded by an alarmed fence with surveillance cameras continually monitoring access. Access to this area requires individuals to be screened prior to entry.
- Access to the control room and other vital areas requires key card access in addition to access to the protected area.
- An armed security force is also present to protect the plant in case of an attack.
9
Wired Access - Attack Pathway Protection against wired access attacks includes measures such as:
- Firewalls, a data diode and air gaps.
- Protection of wired access to a nuclear power plant relies on a defense in depth approach.
- Access to the corporate business network and the site business network are protected by firewalls. The operational networks are physically isolated to prevent access from the business network.
- Access to any critical digital assets (CDAs) is protected by either a data diode or by air gapping the systems which prevents any wired access to these components from the outside world.
10
Wireless Access - Attack Pathway Protection against wireless attacks is accomplished by:
- Not allowing any wireless access to any safety critical digital assets (CDAs).
- While the sites may have wireless access to their business networks, wireless access is prohibited from any network that contains or has access to a safety CDA.
- In addition, the sites are required to periodically monitor their networks to ensure that no rogue wireless networks have been established.
11
Portable Media/Device Connectivity
- Attack Pathway Protection against portable media attacks is accomplished by:
- Licensees portable media program required by their cyber security plan.
- Extensive program that has been inspected at each nuclear power plant, requires numerous controls be established that control the types of portable media (i.e. USB thumb drives) that can be connected to CDAs, and how they can be connected to a CDA (i.e. scanning the portable media with a kiosk prior to connecting it to a CDA).
12
Supply Chain - Attack Pathway Licensees supply chains are protected by:
- Licensees supply chain program required by their cyber security plan:
- Requires licensee testing prior to placing any CDA in service.
- Requires licensees to only purchase from approved vendors.
- Requires licensees to have a trusted distribution path that protects the integrity of CDAs during transport of the CDA from the vendor to the licensee (i.e. tamper tape, etc.).
13
Additional Discussion Topics
- Latest technologies implemented
- On the safety side of the plant - very few new technologies have been implemented.
- On the physical security side of the plant - most of the technology is relatively new (implemented after 9/11/2001).
- Wireless communications/surveillance systems
- On the safety side of the plant - no wireless is allowed.
- On the security side of the plant - wireless communications have been implemented. Wireless surveillance systems are being tested; however, they are not yet credited for protection.
14
Additional Discussion Topics
- Guidelines for saving surveillance camera data
- There is no code requirement to maintain surveillance camera data for any period of time.
- The licensees are required to maintain an alarm record with time and disposition.
- Some licensees do maintain a backup for various amounts of time, but it is not required.
- Dedicated personnel on site for cyber attacks
- There is currently no requirement that the licensees have dedicated personnel onsite to respond to a cyberattack.
- They have developed incident response plans and typically would have personnel onsite during normal business hours. If the attack happened on the back shift, the licensees would be expected to call personnel in as needed to respond to the attack.
15