Text

.

September 5, 2023 MEMORANDUM TO: Brian M. Yip, Chief Cyber Security Branch Division of Physical and Cyber Security Policy Office of Nuclear Security and Incident Response Signed by Prada, Alexand FROM: Alexander Prada, IT Specialist (Cyber) on 09/05/23 Cyber Security Branch Division of Physical and Cyber Security Policy Office of Nuclear Security and Incident Response

SUBJECT:

SUMMARY

OF AUGUST 3, 2023, PUBLIC MEETING TO DISCUSS THE DETAILS OF NRCS RESPONSE TO NEIS REMEDIATION OF VULNERABILITIES IDENTIFIED IN CDAS WHITE PAPER On August 3, 2023, the U.S. Nuclear Regulatory Commission (NRC) held a public meeting to discuss the NRCs feedback and observations on the Nuclear Energy Institutes (NEIs)

Remediation of Vulnerabilities Identified in CDAs white paper (Agencywide Documents Access and Management System (ADAMS) Accession No. ML23072A063). The meeting notice is available at ADAMS Accession No. ML23200A274. Approximately 70 participants, including the NRC staff, industry representatives, and members of the public attended the meeting. This public meeting is a part of NEIs ongoing effort to develop the next revision of NEI 08-09, Cyber Security Plan for Nuclear Power Reactors, Revision 7.

The meeting was a hybrid meeting which consisted of an open and closed portion. During the open portion of the meeting, there were formal introductions and introductory remarks from the NRC and NEI. Following the remarks, NEI stated that their next white paper, Ongoing Monitoring and Assessment (OM&A), has been sent to the NRC for review. The NRC is preparing a public meeting to discuss the details of the white paper. During the Q&A portion of the open session, the public and stakeholders did not have any questions. This concluded the open portion of the meeting.

For the closed portion of the meeting, NEI provided a presentation clarifying some items addressed in the NRCs review of the vulnerability management white paper.

First, NEI noted that NRCs written feedback cited Regulatory Guide 5.71, Cyber Security Programs for Nuclear Power Reactors, Revision 1 (ML22258A204). Since licensees primarily CONTACT: Alexander Prada, NSIR/DPCP 301-415-0875

B. Yip use NEI 08-09 as their cybersecurity plan (CSP) template, NEI was concerned that the NRC was referring to RG 5.71 when reviewing the white paper. The NRC staff noted that it used definitions in the RG to enforce our understanding on certain terminology since the current version of NEI 08-09 did not define those terms. NEI noted that it plans to define additional terms in the next revision of NEI 08-09.

Another concern that NEI mentioned is that licensees cannot credit other security controls when dispositioning a vulnerability. The NRC stated that a vulnerability assessment should consider other controls for analysis of a vulnerability. In addition, the NRC stated what was not acceptable when performing an assessment for a vulnerability by providing additional examples that go against a licensees vulnerability management program. The NRC further stated that applicability plays an important role in vulnerability assessments and the crediting of existing security controls must be applicable to the attack vectors of the vulnerability. As an example, a licensee cannot use physical security controls to effectively lower a specific vulnerabilitys severity score since the vulnerability is exploited through logical means.

NEI stated that allowlisting may be credited on its own for a vulnerability assessment if exploitation could not be achieved by interaction with the vulnerable application or by the network. The NRC responded by stating that allowlisting is part of a comprehensive defense-in-depth (DiD) mitigation strategy and should not be solely relied upon for the disposition of a vulnerability. The NRC staff further stated that, while allowlisting could offer an adequate solution to preventing the execution of malware on a critical digital asset (CDA), the staff has not encountered an allowlisting solution that works adequately on its own within a licensees sensitive network infrastructure.

Finally, NEI raised an issue related to indirect CDAs. NEI believes detection and remediation prior to adverse impact to a safety, security, or emergency preparedness (SSEP) function should be credited in lieu of addressing vulnerabilities associated with an indirect CDA. The NRC understands the purpose of the CSP is to prevent adverse impact to an SSEP function.

Indirect CDAs by their classification cannot have a direct adverse impact to an SSEP function; therefore, NEI asserted that analyzing vulnerabilities on those CDAs are not necessary if detection and mitigation can occur prior to adverse impact to an SSEP function.

During the Q&A portion of the public meeting, participants questioned whether Indirect CDAs need to be evaluated for vulnerabilities in the same manner as all other CDAs. NEI representatives added their perspective that if the CDA has no direct impact to a safety or security function, then it may not need to be included in vulnerability management. The NRC staff indicated this perspective would be taken into consideration as it evaluates revisions to NEIs guidance.

The NRC staff indicated they will take into consideration the views shared during the meeting as they finalize the staffs feedback on the white paper. The staff intends to provide its written feedback to NEI by mid-September 2023.

ML23242A200 OFFICE NSIR/DPCP/CSB NSIR/DPCP/CSB NSIR/DPCP/CSB NAME APrada AP BYip BY APrada AP DATE Aug 30, 2023 Sep 5, 2023 Sep 5, 2023