Text

U.S. Nuclear Regulatory Commission Public Meeting Summary

Title:

Public Meeting on Inspector Manual Chapter 0612 Appendix E, section on cybersecurity examples of minor issues Date of Meeting: Tuesday June 6, 2023, 010:00 AM to 11:00 AM ET Location: Virtual Meeting via Microsoft Teams Type of Meeting: This is an Information Meeting with a Question and Answer Session.

Purpose of the Meeting:

The purpose of this meeting is to discuss the development of updates to NRC Inspection Manual Chapter (IMC) 0612 Appendix E, section on cybersecurity examples of minor issues.

The purpose of this meeting is for the NRC staff to meet directly with individuals to discuss regulatory and technical issues. Attendees will have an opportunity to ask questions of the NRC staff or make comments about the issues discussed throughout the meeting; however, the NRC is not actively soliciting comments towards regulatory decisions at this meeting.

General Details of Meeting Opening:

The NRC staff held a virtual public meeting with the NEI, the industry, and the public to discuss the development of updates to NRC IMC 0612 Appendix E, section on cybersecurity examples of minor issues. Kim Lawson-Jenkins from the Cyber Security Branch, Office of Nuclear Security and Incident Response (NSIR) began the meeting by thanking all the attendees.

Instructions for the format and procedures for participating in the virtual meeting were provided.

Next, Brian Yip, Chief, Cyber Security Branch, NSIR, provided a brief welcome message and stated that the review and update of the minor examples were based on a request from industry.

Summary of Presentation:

The presentation slide deck is available in ADAMS ML23152A258. The presentation began with a discussion of the major areas of concern for cybersecurity program implementations during the inspection program for the last 10 years. Currently during the Reactor Oversight Program (ROP) cybersecurity inspections, the most frequent violations are in areas related to maintaining an effective cybersecurity program. Ms. Lawson-Jenkins then proceeded to discuss the issue screening questions in NRC IMC 0612 Appendix B, where if any of the three questions had an affirmative answer, then the issue would be screened as more than minor. For the new minor examples, defense in depth considerations were key to determining the answers to the Appendix B screening questions. The defense in depth considerations are -

• The capability to detect, respond to, and recover from cyber attacks and

• multiple layers of defensive security controls placed throughout the system with the intent of providing overlapping defenses in the event that a control fails, or a vulnerability is exploited.

The five new minor cybersecurity examples are in the areas of 1) baseline configuration, 2) ongoing monitoring and assessment, 3) removal of unnecessary services and programs, 4) physical access control, and 5) evaluate and manage cyber risk (vulnerability management).

The actual new text in Appendix E was not presented during the public meeting. However, a draft of the text will be made available to NRC regional inspectors by June 15, 2023 for a 15 day comment period to end on June 30, 2023. CSB staff will resolve all comments received and submit an updated section of the IMC to Office of Nuclear Reactor Regulation (NRR) by July 15, 2023.

Questions and Answers:

Dave Feitl of NEI asked if there would be an opportunity for industry to provide formal comments on the draft text for minor examples in IMC 0612 Appendix E. CSB branch chief Brian Yip responded that the staff would check with NRR to verify the procedures for 0612 updates.

Stephen Flickinger of Constellation Nuclear commented that he supported clarity in new examples on defense in depth for cybersecurity and hopefully the updated text would demonstrate how to apply defense in depth principles in areas of the cybersecurity program beyond the 5 new examples.

Tim Riti of NEI had 3 comments. Mr. Riti expressed concern that several recent one-week ROP cybersecurity inspections could not exit at the end of the inspection week. Hopefully the new examples will remove subjectivity in some instances. The second comment was that the new examples would be helpful, especially in clarifying the application of defense in depth. Mr. Ritis third comment questioned whether the new examples would address adverse impact. He offered that there are opportunities for NRC staff and industry to engage in discussions during interactions with the NEI ROP task force and the NRC ROP public meetings.

Meeting

Conclusion:

Mr. Yip and Ms. Lawson-Jenkins thanked attendees for their participation in the public meeting and the meeting was adjourned at 10:35.

Attendee List - ADAMS ML23165A214