Text

U.S.A. Regulatory Efforts for Cyber Security of Advanced Reactors Ismael L. Garcia Senior Technical Advisor Cybersecurity and Digital Instrumentation & Control Office of Nuclear Security and Incident Response U.S. Nuclear Regulatory Commission (NRC)

Email: Ismael.Garcia@nrc.gov The information and conclusions presented herein are those of the author only and do not necessarily represent the views or positions of the US Nuclear regulatory Commission. Neither the US Government nor any agency thereof, nor any employee, makes any warranty, expressed, or implied, or assumes any legal liability or responsibility for any third partys use of this information.

Draft Cyber Security Requirements for Advanced Reactors 2

Background -Power Reactors Cyber Requirements Found in 10 CFR 73.54 Protect digital assets that perform Safety, Security, and Emergency Preparedness functions Protect from cyber attacks up to an including a DBT 3

Proposed New Cyber Requirements 10 CFR Part 53 Preliminary New Cyber development for Proposed Rule Requirements in Advanced Language Proposed Rule Reactors Publicly Available Note: This staff-proposed rulemaking has been documented in SECY 23-0021 and is with the Commission for review. More information on the rulemaking process is available at https://www.nrc.gov/about-nrc/regulatory/rulemaking/rulemaking-process.html.

4

Preliminary Proposed Preliminary Proposed Cyber Requirements Cyber Requirements Under the 10 CFR Part 53 rulemaking, the new Cybersecurity Program cybersecurity framework would ensure that digital Designed in a manner that is commensurate with the potential consequences computers, communication systems, and networks are adequately protected against cyberattacks that may result in Continuous monitoring Digital Assets and assessment Safety Configuration Offsite radiation doses that endanger management Defense in Depth public health and safety.

Confidentiality Integrity Vulnerability scans Emergency Availability Preparedness Ongoing assessment of security A degradation in the physical controls and effectiveness protection of radioactive material.

Security Cybersecurity event notifications Note: This staff-proposed rulemaking has been documented in a SECY and is

Reference:

Part 73.110, "Technology-inclusive requirements for protection of digital with the Commission for review. More information on the rulemaking process is computer and communication systems and networks, ADAMS Accession Number available at https://www.nrc.gov/about-nrc/regulatory/rulemaking/rulemaking-ML21162A093 process.html.

5

10 CFR 73.110 -

Draft Regulatory Guide Concepts 6

DraftRegulatory Draft RegulatoryGuideGuideDevelopment Development An acceptable Effective guidance Leverage approach for to support a IAEA and IEC meeting the performance- security 10 CFR 73.110 based regulatory approaches requirements framework Note: This staff-proposed rulemaking has been documented in SECY 23-0021 and is with the Commission for review. More information on the rulemaking process is available at https://www.nrc.gov/about-nrc/regulatory/rulemaking/rulemaking-process.html.

7

Facility LevelEliminate potential adversary scenarios through facility design Draft Draft Regulatory Regulatory Guide - Function LevelEliminate or mitigate attack vectors through Guide Three-Tier -

Analysis passive cybersecurity plan and defensive computer security Three-Tier Approach architecture elements (e.g., data diodes)

Analysis Approach System LevelUse active cybersecurity plan and defensive computer security architecture elements (e.g.,

intrusion detection systems) to protect against cyberattacks Note: This staff-proposed rulemaking has been documented in SECY 23-0021 and is with the Commission for review. More information on the rulemaking process is available at https://www.nrc.gov/about-nrc/regulatory/rulemaking/rulemaking-process.html.

8

Important Terminology CEAS: Cyber-Enabled Accident Scenario Important Terminology CEIS: Cyber-Enabled Intrusion Scenario Note: This staff-proposed rulemaking has been documented in in SECY 23-0021 and is with the Commission for review. More information on the rulemaking process is available at https://www.nrc.gov/about-nrc/regulatory/rulemaking/rulemaking-process.html.

9

Overview of Draft Regulatory Guide Performance-based/Risk Informed Approach Note: This staff-proposed rulemaking has been documented in SECY 23-0021 and is with the Commission for review. More information on the rulemaking process is available at https://www.nrc.gov/about-nrc/regulatory/rulemaking/rulemaking-process.html. 10

Overview of Draft Regulatory Guide Performance-based/Risk Informed Approach (Cont.)

Note: This staff-proposed rulemaking has been documented in SECY 23-0021 and is with the Commission for review. More information on the rulemaking process is available at https://www.nrc.gov/about-nrc/regulatory/rulemaking/rulemaking-process.html. 11

Overview of Draft Regulatory Guide Performance-based/Risk Informed Approach (Cont.)

Note: This staff-proposed rulemaking has been documented in SECY 23-0021 and is with the Commission for review. More information on the rulemaking process is available at https://www.nrc.gov/about-nrc/regulatory/rulemaking/rulemaking-process.html. 12

Future Work SECY-23-0021, Proposed Rule:

Risk-Informed, Technology-Inclusive Regulatory Framework for Advanced Reactors (ADAMS Future Accession Number: ML21162A093) submitted to the Commission on Work March 1, 2023 for approval Continue to support draft Part 53 proposed rulemaking efforts including the cybersecurity requirements and regulatory guidance 13

14