Text

May 17, 2023 Mr. Richard Mogavero Senior Project Manager Nuclear Security and Incident Preparedness Nuclear Energy Institute 1201 F Street NW, Suite 1100 Washington, DC 20004

SUBJECT:

RESPONSE TO NEI WIRELESS CYBER SECURITY GUIDANCE, DATED MARCH 2023

Dear Mr. Mogavero:

In your letter dated March 1, 2023, you requested the U.S. Nuclear Regulatory Commission (NRC) find the approach in the Nuclear Energy Institute's (NEIs) Wireless Security Guidance, (Agencywide Documents Access and Management System (ADAMS)

Accession Number ML23060A327) acceptable to eliminate the threat/attack vectors associated with the controls in NEI 08-09, Revision 6, Cyber Security Plan for Nuclear Power Reactors, section D.1.17, Wireless Access Restrictions, which is part of licensees NRC-approved cybersecurity plans (CSPs). Your letter incorporates by reference proposed alternate security controls documented in a report prepared by Idaho National Laboratory, Draft Methodology for Cybersecurity Analysis for Adoption of Wireless Technology in Nuclear Power Plants (https://doi.org/10.2172/1892308). As this issue relates to NEIs broader project to revise NEI 08-09, the staff performed its review of this technical issue under the fee exemption granted by the NRC Chief Financial Officer on January 17, 2023 (ML22348A112).

Title 10 of the Code of Federal Regulations (10 CFR) 73.54, Protection of digital computer and communication systems and networks, requires licensees to establish, maintain, and implement a cybersecurity program that provides reasonable assurance that digital computer and communication systems and networks are adequately protected against cyberattacks. The term communication systems refers to wired, wireless, or temporary connections such as the use of portable media and mobile devices. Regardless of the connectivity method, 10 CFR 73.54 requires licensees to adequately protect digital assets associated with:

(i) Safety-related and important-to-safety functions; (ii) Security functions; (iii) Emergency preparedness functions, including offsite communications; (iv) Support systems and equipment which, if compromised, would adversely impact safety, security, or emergency preparedness functions.

CONTACT: Mario Fernandez, NSIR/DPCP 301-287-3687

R. Mogavero 2 With respect to implementation of wireless devices used for monitoring equipment, licensees are required in accordance with 10 CFR 73.54(b)(1) and the NRC-approved CSPs, section A.3.1 Analyzing Digital Computer Systems and Networks and Applying Cyber Security Controls, to perform an analysis and determine if technologies associated with monitoring that have wireless capabilities for data transmission (also known as advanced remote monitoring (ARM)) are within the scope of the cybersecurity program. If the analysis determines that ARM technologies are not credited in the sites licensing basis or are not relied upon for safety, then the ARM technologies are not within the scope of the cybersecurity program.

The proposed approach in your letter regarding NEI 08-09, Revision 6, section D.1.17, is not directly related to the potential implementation of wireless monitoring devices. Therefore, the NRC staff did not perform a review within the scope of NEI 08-09, Revision 6, section 3.1.6(b)(2), Mitigation of Vulnerabilities and Application of Cyber Security Controls, as requested in your letter.

The NRC recognizes that certain language in section D.1.17 of the CSP may be broadly interpreted as precluding licensees from implementing ARM with wireless capabilities. However, licensees may use the 50.54(p) process to make CSP changes to clarify or further define terminology provided the changes do not decrease the effectiveness of the CSP.

Should you or your staff have any questions, please contact Mr. Mario Fernandez at (301) 287-3687 or mario.fernandez@nrc.gov.

Sincerely, Signed by Yip, Brian on 05/17/23 Brian M. Yip, Chief Cyber Security Branch Division of Physical and Cyber Security Policy Office of Nuclear Security and Incident Response

ML23118A248; Ltr ML23118A268

• via email OFFICE NSIR/DPCP/CSB NSIR/DPCP/CSB NRR/DEX/ELTB* RES/DE/ICEEB NAME MFernandez MF BYip BY JPaige JP CCook CC DATE May 1, 2023 May 1, 2023 May 1, 2023 May 2, 2023 OFFICE NSIR/DPCP/CSB NAME BYip BY DATE May 17, 2023