ML23240A512

From kanterella
Jump to navigation Jump to search
U.S.A. Regulatory Efforts for Cybersecurity of Advanced Reactors - Paper Rev. 1
ML23240A512
Person / Time
Issue date: 08/28/2023
From: Ismael Garcia
NRC/NSIR/DPCP
To:
References
Download: ML23240A512 (1)
v  d  e


Text

Paper ID 40531 U.S. Regulatory Efforts for Cybersecurity of Advanced Reactors Mr. Ismael L. Garcia, P.E.1 1U.S. Nuclear Regulatory Commission, Rockville, MD ABSTRACT Current proposed Advanced Reactors (ARs) include diverse technologies such as next generation modular pressurized water reactors, high temperature gas cooled reactors, molten salt reactors, and liquid metal cooled fast reactors. These diverse technologies each have a unique set of functions and systems that support both nuclear safety and security. To address these challenges, the U.S. Nuclear Regulatory Commission (NRC) is moving toward a more risk-informed, performance-based, and technology-inclusive regulatory framework. Under Part 53 [1], the U.S.

NRC supported by cybersecurity experts from the Department of Energy (DOE) national laboratories and U.S. universities, developed a proposed cybersecurity rule for advanced reactors, 10 CFR 73.110, Technology neutral requirements for protection of digital computer and communication systems and networks, [2] and accompanying regulatory guide (RG). The RG provides an advanced reactor applicant or licensee with an acceptable approach for meeting the new proposed requirements. The proposed rule and RG consider a risk-informed, graded approach for the design and implementation of a cybersecurity program to meet the demands for protection of ARs against the unacceptable consequences from a cyber-attack. The proposed rule and RG leverage both the outcomes of a safety and security analyses performed for each reactor design.

Keywords: control, cybersecurity, digital, framework, instrumentation

1. INTRODUCTION Current proposed ARs include diverse technologies, and each have a unique set of functions and systems that support both nuclear safety and security. To address these challenges, the NRC has initiated a rulemaking known as Part 53 [1] to propose a more risk-informed, performance-based, and technology-inclusive regulatory framework for ARs with accompanying regulatory guidance. Section 2.3 below describes the efforts associated with the development of the cybersecurity requirements for advanced reactors, while Section 2.4 describes the efforts associated with the companion regulatory guidance development.
2. DRAFT CYBERSECURITY REQUIREMENTS AND REGULATORY GUIDE FOR ADVANCED REACTORS 2.1. Definition of Terms The following definitions are specific to this paper:

Ismael.Garcia@nrc.gov

Paper ID 40531

  • Performance-based Approach: An approach that establishes performance and results as the primary basis for decision-making, and incorporates the following attributes: (1) measurable (or calculable) parameters (i.e., direct measurement of the physical parameter of interest or of related parameters that can be used to calculate the parameter of interest) exist to monitor system, including facility and licensee, performance; (2) objective criteria to assess performance are established based on risk insights, deterministic analyses and/or performance history; (3) licensees have flexibility to determine how to meet the established performance criteria in ways that will encourage and reward improved outcomes; and (4) a framework exists in which the failure to meet a performance criterion, while undesirable, will not in and of itself constitute or result in an immediate safety concern [3].
  • Risk-informed Approach: An approach to decision-making that considers risk insights along with other factors such as engineering judgment, safety limits, and redundant or diverse safety systems. Such an approach is used to establish requirements that better focus licensee and regulatory attention on design and operational issues and ensure that such attention is commensurate with the importance of those issues to public health and safety [4].

2.2. Background The cybersecurity requirements for each licensee currently licensed to operate a nuclear power plant under parts 50 and 52 are found in Title 10 of the Code of Federal Regulations (10 CFR) section 73.54, Protection of digital computer and communication systems and networks [5] which was issued in 2009. These requirements are based on the function digital assets (i.e., digital computer and communication systems and networks) perform. Specifically, licensees must protect digital assets associated with: (1) Safety, security, and emergency preparedness functions, and (2) Support systems which, if compromised, could adversely impact safety, security, or emergency preparedness functions. Licensees must ensure these systems are protected from cyber-attacks up to an including a Design Basis Threat that would: (1) Adversely impact integrity/confidentiality; (2) Deny access to systems, services, and/or data; and (3) Adversely impact operations. In response to the 10 CFR 73.54 requirements, each licensee currently licensed to operate a nuclear power plant under parts 50 and 52 developed a cybersecurity plan that was reviewed and approved by the NRC staff. Additionally, oversight for compliance by licensees with the NRC's approved cybersecurity plans is conducted by the NRC staff through periodic inspection activities.

2.3. Proposed New Cyber Requirements For ARs, the NRC staff is developing a transformative regulatory framework that builds upon a strong foundation of Commission policies and decisions, and evolves existing requirements into a modern, risk-informed, performance-based approach. Specifically, Part 53 will provide technology-inclusive, risk-informed, performance-based approaches to safety and security that include scaling the requirements for licensing and regulating a variety of advanced reactor designs and technologies. The overall principles associated with this effort include: (1) Leveraging the best practices from regulatory and operating experience while considering lessons learned; (2) Crediting technological advancements that could provide operational flexibilities with increased margins of safety; and, (3) Prioritizing risk-informed and performance-based approaches that accommodate various advanced reactor technologies. The NRC is periodically making available the preliminary proposed Part 53 rule language for public comment. The NRC staff is listening to all stakeholders and has made changes to the preliminary proposed rule language in response to stakeholder feedback.

The proposed rule will contain a new section, 10 CFR 73.110, Technology Neutral Requirements for Protection of Digital Computer and Communication Systems and Networks [2] to address cybersecurity.

Paper ID 40531 This section will implement a graded approach to cybersecurity based on consequences resulting from a potential cyber-attack to determine the level of protection required for digital computer and communication systems and network technologies. A graded approach to cybersecurity based on potential consequences is intended to facilitate risk-informed approaches, results, and insights for the wide range of reactor technologies to be assessed by the NRC. The rule will recognize the more significant role that may be played by those digital computer and communication systems for future reactor designs. This proposed rule leverages the operating experience and lessons learned over the past 12 years from the power reactors implementation of the current cybersecurity regulations.

As shown in Fig. 1 below, 10 CFR 73.110 will require licensees to protect systems associated with safety, security, and emergency preparedness functions using a graded cybersecurity program commensurate with potential consequences from cyber-attacks. The first consequence deals with radiological sabotage or scenarios where a cyber-attack adversely impacts the functions performed by digital assets which may lead to offsite radiation hazards that would endanger public health and safety by exceeding established dose criteria. The second consequence deals with physical intrusion or scenarios where a cyber-attack adversely impacts the functions performed by digital assets used to maintain physical security.

Figure 1. New cybersecurity approach - 10 CFR 73.110.

Under 73.110, licensees would be required to: (1) Analyze the potential consequences resulting from cyber-attacks and identify those assets that must be protected, and (2) Establish, implement, and maintain a cybersecurity program, as defined in the cybersecurity plan, to protect the assets identified by applying defense-in-depth protective strategies to ensure the ability to detect, delay, respond, and recover from cyber-attacks capable of causing the consequences discussed in the above paragraph. In addition, licensees would be required to: (1) Implement security controls commensurate with safety/security significance via a graded approach; (2) Mitigate adverse impact of cyber-attacks capable of causing the consequences discussed in the above paragraph; and (3) Ensure functions of protected assets are not adversely impacted due to cyber-attacks capable of causing the consequences discussed in the above paragraph. The NRC staff continues to develop this preliminary proposed rule, and its companion regulatory guidance described in Section 2.4 below. The proposed rule will be published for comment after the Commission votes.

Paper ID 40531 2.4. Draft Regulatory Guide Concepts This section describes the companion regulatory guidance development for the new preliminary proposed cybersecurity requirements at 73.110.

2.4.1. Draft regulatory guide development The U.S. NRC supported by cybersecurity experts from the Department of Energy national laboratories and U.S. universities, developed an RG to provide an AR licensed under 10 CFR Part 53 with an acceptable approach for meeting the requirements of 10 CFR 73.110. To accommodate the wide range of commercial nuclear plant technologies to be assessed by the NRC under 10 CFR Part 53, a new cybersecurity analysis approach is being implemented via this draft RG while factoring in the following:

1. Commercial nuclear plant designs include increased reliance on digital systems, emerging technologies, passive safety features and other novel design features.
2. Novel use cases such as remote monitoring and autonomous operations are planned, which demand reassessing legacy systems isolation paradigms.
3. This effort is being informed by national and international standards and approaches supporting security concepts having a high degree of expert acceptance, including security design features, customized control catalogues and performance-based objectives.
4. The increasing capabilities of attackers, with a corresponding increase in sophistication and Operational Technology focus - dictates a broader approach to software supply chain attacks including both technical and administrative defensive measures.

This draft RG will provide an acceptable method that applies risk-informed, performance-based, technology-inclusive approach to account for the differing risk levels within commercial nuclear plant technologies to meet demands for protection against the unacceptable consequences from a cyber-attack.

This draft RG will describe, among other things, the elements required in a cybersecurity plan, including a cybersecurity plan template, and contain cybersecurity controls while leveraging the content in RG 5.71, Cyber Security Programs for Nuclear Facilities, [6] which was developed for each licensee currently licensed to operate a nuclear power plant under parts 50 and 52. This effort will also leverage the information from International Atomic Energy Agency and International Electrotechnical Commission publications. The follow-on sections provide a high-level overview of the risk-informed, performance-based, technology-neutral approach concept being developed as part of this draft RG.

2.4.2. Three-tier analysis approach This draft RG will implement a three-tier approach via analyses at the Facility Level, Function Level, and at the System Level. At the Facility Level, the intent of the analysis is to rely on existing safety and security assessments to determine if the plants design basis and existing physical protection systems are sufficient to effectively prevent the potential consequences from a cyber-attack. At the Function Level, the intent of the analysis is to understand the adversary's access to attack pathways that allow for the compromise of plant functions resulting in the unacceptable consequences defined in 10 CFR 73.110. At the System Level, the intent of the analysis is to identify protective measures including system-level cybersecurity controls to prevent or mitigate the impact to compromised plant functions.

Paper ID 40531 Both the Functional Level and System Level analyses will use a graded approach to determine the level of cybersecurity protection commensurate with potential consequences from a cyber-attack. The intent of this approach is to ensure that analyses are performed until it is demonstrated that a cyber-attack cannot result in the consequences listed in 10 CFR 73.110. This may result in a single tier of analysis being performed, two tiers of analysis being performed (i.e., first and second tier), or all three tiers of analysis being performed. The follow-on sections provide a more detailed explanation of how this three-tier analysis approach is being implemented in the draft RG.

2.4.3. Important terminology The analysis approach discussed herein uses the following two terms:

  • CEAS: Cyber-Enabled Accident Scenario, which refers to postulated accidents that are used to assess the potential radiological sabotage consequences resulting from a cyber-attack. The CEAS development leverages the safety-related analysis performed for a given advanced reactor design.
  • CEIS: Cyber-Enabled Physical Intrusion Scenario, which refers to postulated scenarios that are used to assess the potential physical intrusion consequences that are enabled or result from a cyber-attack. In other words, the assessment of CEIS allows for insights into mitigations to cyber-attacks associated with the potential to result in unacceptable physical intrusion consequences.

2.4.4. Overview of draft RG performance-based/risk informed approach The analysis approach shown in Fig. 2 through Fig. 4, which is being implemented as part of the RG development, is intended to ensure that only systems that perform or rely upon functions that can contribute to the 10 CFR 73.110 consequences are required to be assessed and protected.

Figure 2. Performance-based/risk informed analysis approach - Part 1.

As part of the Facility Analysis listed in FIG. 2 above, the existing results of safety and security assessments are used to analyze the impact of the loss or compromise of a plant function resulting in the unacceptable consequences defined in 10 CFR 73.110. The focus for this portion of the risk assessment is to evaluate potential cyber-attack consequences considering the plant design basis and physical protection system. CEAS and CEIS, or the two terms discussed in Section 2.4.3 above, help identify those

Paper ID 40531 cybersecurity sequences of scenarios linked or having the potential to result in the consequences defined in 10 CFR 73.110 that must be protected against potential cyber-attacks.

If a cyber-attack results in the 10 CFR 73.110 consequences threshold being exceeded, then enhancements or improvements to the design basis and/or physical protection system mitigations should be considered, if allowed by a security by design approach. A security by design approach refers to the considerations for safety and security requirements together in the design process such that security issues (e.g., newly identified threats of adversary attacks) can be effectively resolved through facility design and engineered security features, and formulation of mitigation measures, with no or minimal reliance on human actions. If a cyber-attack does not result in the 10 CFR 73.110 consequences threshold being exceeded, then the licensee documents the design basis elements and physical protection system features which ensure that potential cyber-attacks do not result in those consequences.

If the preceding analysis shows that a cyber-enabled scenario results in the 10 CFR 73.110(a) consequences threshold being exceeded and security by design is not feasible then, the licensee proceeds with the Function Level Analysis or the next tier of analysis by developing Adversary Functional Scenarios as shown in Fig. 3, which is aimed at managing functional risks. The intent of this analysis is to assess whether and how an adversary can affect the functions via a cyber-attack, thus leading to radiological sabotage or physical intrusion scenarios that result in unacceptable consequences.

Based on the outcome of the Adversary Functional Scenarios, the licensee can manage functional risks by specifying prohibitive Cybersecurity Plan elements, such as prohibiting the use of wireless for certain plant applications, and passive/deterministic Defensive Cybersecurity Architecture elements, such as a data diode, to protect against from cyber-attacks. The Adversary Functional Scenario Analysis helps identify incident scenarios to inform design, development, and implementation of Defensive Cybersecurity Architecture and other common, facility-wide elements that provide a plant capability (e.g.,

resilience) that can be leveraged to provide protection against cyber-attacks, specifically, those associated with unacceptable consequences as defined in 10 CFR 73.110.

Figure 3. Performance-based/risk informed analysis approach - Part 2.

Paper ID 40531 If the analysis results reveal that there any remaining unmitigated adversary functional scenarios and the implementation of passive defense features, such as those discussed herein are not feasible then, the licensee proceeds to perform the System Level or the third-tier analysis as shown in Fig. 4 below. For cases where there are no remaining unmitigated adversary functional scenarios, proceeding with the next tier of analysis would be optional as licensees may decide to do so to increase or further enhance their defense-in-depth posture against cyber-attacks.

As part of the System Level analysis depicted in Fig. 4, the licensee needs to identify the critical functions and associated systems via the use of a graded approach. Critical functions are those that are associated with a CEAS or CEIS. Critical Systems may be categorized into most critical or least critical allowing for a graded approach to be applied in the selection and implementation of cybersecurity control measures.

Figure 4. Performance-based/risk informed analysis approach - Part 3.

Adversary Technical Sequences are sequences of adversary tactics, techniques, and procedures that the licensee should protect against. Frameworks such as MITRE ATT&CK [7] can be used to develop Adversary Technical Sequences that are consistent and reproducible. The outcome of the Adversary Technical Sequences approach helps identify cybersecurity control measures and controls on system design and operation to protect critical function(s) via the application of a graded approach and implementation of defense-in-depth approaches for prevention, detection, and response against cyber-attacks.

As shown in Fig. 4, this iterative analysis proceeds until all Adversary Technical Sequences are mitigated.

Once this objective is achieved, the licensee would need to document the Cybersecurity Plan and Defensive Cybersecurity Architecture elements, including cybersecurity controls, needed to protect against cyber-attacks.

3. CONCLUSIONS Advanced reactors will implement a graded approach to determine the level of cybersecurity protection required for digital computers, communication systems, and networks. A graded approach based on

Paper ID 40531 consequences is intended to account for the differing risk levels among reactor technologies. The proposed new cybersecurity framework will require licensees to demonstrate protection against cyber-attacks in a manner that is commensurate with the potential consequences from those attacks.

Differences between the cybersecurity framework for operating reactors and the new proposed cybersecurity framework are primarily based on the implementation of a consequence-based approach to cybersecurity to accommodate the wide range of reactor technologies to be assessed by the NRC. The new cybersecurity framework is informed by (1) the operating experience from power reactors and fuel cycle facilities and (2) the existing operating reactors cybersecurity framework, which addresses some of the basic issues for cybersecurity regardless of the type of reactor.

In terms of the future work associated with the proposed cyber requirements and its companion RG, the NRC staff plans to continue working on topics for inclusion in the document such as: (1) Developing sample Accident and Physical Intrusion scenarios; (2) Providing guidance for using a performance-based approach for the selection of cybersecurity measures; and, (3) Providing specific guidance for emerging technologies such as remote operation of reactors, and autonomous operation. These efforts will support finalizing the proposed cyber requirements and draft RG for inclusion in the Part 53 rulemaking package to be submitted to the Commission for approval.

DISCLAIMER This paper represents the personal opinions and viewpoints of the author and is not intended to represent any official position of the U.S. NRC.

Paper ID 40531 REFERENCES

1. U.S. NRC, Part 53 - Risk Informed, Technology-Inclusive Regulatory Framework for Advanced Reactors, (2022), https://www.nrc.gov/reactors/new-reactors/advanced/rulemaking-and-guidance/part-53.html.
2. U.S.NRC, U.S. CFR, Physical Protection of Plants and Materials, Part 73, Section 110, Technology neutral requirements for protection of digital computer and communication systems and networks, Title 10, Energy, (2021), https://www.nrc.gov/docs/ML2130/ML21308A026.pdf.
3. U.S.NRC, Staff Requirements Memorandum-SECY-98-144, White paper on risk-informed and performance-based regulation, NRC: Washington, DC. March 1999.
4. U.S.NRC, NUREG-1614, Vol. 7, Strategic Plan: Fiscal Years 2018-2022. (Final Report) NRC:

Washington, DC. February 2018.

5. U.S.NRC, U.S. Code of Federal Regulations (CFR) 73.54, Protection of digital computer and communication systems and networks, Title 10, Energy, (2009), https://www.nrc.gov/reading-rm/doc-collections/cfr/part073/part073-0054.html.
6. U.S. NRC, RG 5.71, Protection of Digital Computer and Communication Systems and Networks, (2010), https://www.nrc.gov/docs/ML0903/ML090340159.pdf.
7. MITRE Corporation, MITRE ATT&CK for Industrial Control Systems: Design and Philosophy, (2020), https://attack.mitre.org/.
Retrieved from "https://kanterella.com/w/index.php?title=ML23240A512&oldid=5520263"