Text

U.S.A. Regulatory Efforts for Cyber Security of Advanced Reactors Ismael L. Garcia Senior Technical Advisor Cybersecurity and Digital Instrumentation & Control Office of Nuclear Security and Incident Response U.S. Nuclear Regulatory Commission (NRC)

Email: Ismael.Garcia@nrc.gov The information and conclusions presented herein are those of the author only and do not necessarily represent the views or positions of the US Nuclear regulatory Commission. Neither the US Government nor any agency thereof, nor any employee, makes any warranty, expressed, or implied, or assumes any legal liability or responsibility for any third partys use of this information.

Draft Cyber Security Requirements for Advanced Reactors 2

Found in 10 CFR 73.54 Protect digital assets that perform Safety, Security, and Emergency Preparedness functions Protect from cyber attacks up to an including a DBT 3

Background -Power Reactors Cyber Requirements

4 10 CFR Part 53 development for Advanced Reactors Preliminary Proposed Rule Language Publicly Available New Cyber Requirements in Proposed Rule Proposed New Cyber Requirements Note: This staff-proposed rulemaking has been documented in SECY 23-0021 and is with the Commission for review. More information on the rulemaking process is available at https://www.nrc.gov/about-nrc/regulatory/rulemaking/rulemaking-process.html.

Preliminary Proposed Cyber Requirements 5

Confidentiality Integrity Availability Under the 10 CFR Part 53 rulemaking, the new cybersecurity framework would ensure that digital computers, communication systems, and networks are adequately protected against cyberattacks that may result in Offsite radiation doses that endanger public health and safety.

A degradation in the physical protection of radioactive material.

Safety Security Emergency Preparedness Digital Assets Continuous monitoring and assessment Configuration management Vulnerability scans Cybersecurity event notifications Cybersecurity Program Designed in a manner that is commensurate with the potential consequences Ongoing assessment of security controls and effectiveness Defense in Depth Note: This staff-proposed rulemaking has been documented in a SECY and is with the Commission for review. More information on the rulemaking process is available at https://www.nrc.gov/about-nrc/regulatory/rulemaking/rulemaking-process.html.

Reference:

Part 73.110, "Technology-inclusive requirements for protection of digital computer and communication systems and networks, ADAMS Accession Number ML21162A093 Preliminary Proposed Cyber Requirements

10 CFR 73.110 -

Draft Regulatory Guide Concepts 6

Draft Regulatory Guide Development 7

An acceptable approach for meeting the 10 CFR 73.110 requirements Effective guidance to support a performance-based regulatory framework Leverage IAEA and IEC security approaches Note: This staff-proposed rulemaking has been documented in SECY 23-0021 and is with the Commission for review. More information on the rulemaking process is available at https://www.nrc.gov/about-nrc/regulatory/rulemaking/rulemaking-process.html.

Draft Regulatory Guide Development

Draft Regulatory Guide -

Three-Tier Analysis Approach 8

Facility LevelEliminate potential adversary scenarios through facility design Function LevelEliminate or mitigate attack vectors through passive cybersecurity plan and defensive computer security architecture elements (e.g., data diodes)

System LevelUse active cybersecurity plan and defensive computer security architecture elements (e.g.,

intrusion detection systems) to protect against cyberattacks Note: This staff-proposed rulemaking has been documented in SECY 23-0021 and is with the Commission for review. More information on the rulemaking process is available at https://www.nrc.gov/about-nrc/regulatory/rulemaking/rulemaking-process.html.

Draft Regulatory Guide -

Three-Tier Analysis Approach

Important Terminology CEAS: Cyber-Enabled Accident Scenario CEIS: Cyber-Enabled Intrusion Scenario 9

Note: This staff-proposed rulemaking has been documented in in SECY 23-0021 and is with the Commission for review. More information on the rulemaking process is available at https://www.nrc.gov/about-nrc/regulatory/rulemaking/rulemaking-process.html.

Important Terminology

10 Note: This staff-proposed rulemaking has been documented in SECY 23-0021 and is with the Commission for review. More information on the rulemaking process is available at https://www.nrc.gov/about-nrc/regulatory/rulemaking/rulemaking-process.html.

Overview of Draft Regulatory Guide Performance-based/Risk Informed Approach

11 Note: This staff-proposed rulemaking has been documented in SECY 23-0021 and is with the Commission for review. More information on the rulemaking process is available at https://www.nrc.gov/about-nrc/regulatory/rulemaking/rulemaking-process.html.

Overview of Draft Regulatory Guide Performance-based/Risk Informed Approach (Cont.)

12 Note: This staff-proposed rulemaking has been documented in SECY 23-0021 and is with the Commission for review. More information on the rulemaking process is available at https://www.nrc.gov/about-nrc/regulatory/rulemaking/rulemaking-process.html.

Overview of Draft Regulatory Guide Performance-based/Risk Informed Approach (Cont.)

Future Work SECY-23-0021, Proposed Rule:

Risk-Informed, Technology-Inclusive Regulatory Framework for Advanced Reactors (ADAMS Accession Number: ML21162A093) submitted to the Commission on March 1, 2023 for approval Continue to support draft Part 53 proposed rulemaking efforts including the cybersecurity requirements and regulatory guidance 13 Future Work

14