Text

Cybersecurity Considerations NRC 3S Workshop: Advanced Reactors and Fuel Fabrication December 5-6, 2023 Note: The information and conclusions presented herein are those of the authors only and do not necessarily represent the views or positions of the US Nuclear Regulatory Commission. Neither the US Government nor any agency thereof, nor any employee, makes any warranty, expressed, or implied, or assumes any legal liability or responsibility for any third partys use of this information.

Ismael L. Garcia Senior Technical Advisor Cybersecurity and Digital Instrumentation and Control Office of Nuclear Security and Incident Response Email: Ismael.Garcia@nrc.gov Mauricio Gutierrez Instrumentation and Control Engineer Instrumentation, Controls, and Electrical Engineering Branch Office of Nuclear Regulatory Research Email: Mauricio.Gutierrez@nrc.gov 1

Cybersecurity Requirements for Nuclear Power Plants 2

Nuclear Power Plants Cyber Requirements -

10 CFR 73.54 Note: 10 CFR 73.54 rule text can be found at: https://www.nrc.gov/reading-rm/doc-collections/cfr/part073/part073-0054.html Digital Computer and Communication Systems SAFETY SECURITY EMERGENCY PREPAREDNESS SUPPORT SYSTEMS CYBER ATTACKS impacting:

3

- Integrity /

Confidentiality of data and software

- Denial of access to systems, services or data

- Operation of systems, networks and associated equipment Definitions:

CFR: Code of Federal Regulations

1.

Cyber Security Assessment Team

2.

Identify Critical Digital Assets (CDAs)

3.

Implement Defensive Architecture

4.

Apply Security Controls Regulatory Guide 5.71 Definitions:

NEI: Nuclear Energy Institute RG: Regulatory Guide 4

Note: RG 5.71 can be found at: https://www.nrc.gov/docs/ML2225/ML22258A204.pdf

Draft Cybersecurity Requirements for Advanced Reactors 5

Preparing for a Wide Variety of Advanced Nuclear Technologies 6

Proposed New Cyber Requirements 7

10 CFR Part 53 development for Advanced Reactors Preliminary Proposed Rule Language Publicly Available New Cyber Requirements in Proposed Rule

Preliminary Proposed Cyber Requirements 8

Confidentiality Integrity Availability Under the 10 CFR Part 53 rulemaking, the new cybersecurity framework would ensure that digital computers, communication systems, and networks are adequately protected against cyberattacks that may result in Offsite radiation doses that endanger public health and safety.

A degradation in the physical protection of radioactive material.

Safety Security Emergency Preparedness Digital Assets Continuous monitoring and assessment Configuration management Vulnerability scans Cybersecurity event notifications Cybersecurity Program Designed in a manner that is commensurate with the potential consequences Ongoing assessment of security controls and effectiveness Defense in Depth Note: This staff-proposed rulemaking has been documented in SECY 23-0021 and is with the Commission for review. More information on the rulemaking process is available at https://www.nrc.gov/about-nrc/regulatory/rulemaking/rulemaking-process.html

Reference:

Part 73.110, "Technology-inclusive requirements for protection of digital computer and communication systems and networks, ADAMS Accession Number ML21162A093

Draft Regulatory Guide Development 9

An acceptable approach for meeting the 10 CFR 73.110 requirements Effective guidance to support a performance-based regulatory framework Leverage IAEA and IEC security approaches Note: This staff-proposed rulemaking has been documented in SECY 23-0021 and is with the Commission for review. More information on the rulemaking process is available at https://www.nrc.gov/about-nrc/regulatory/rulemaking/rulemaking-process.html.

Potential Integrated Cybersecurity-Safety Assessment Methods for Nuclear Power Plants 10

Integrated Cybersecurity-Safety Assessment Methods for Nuclear Power Plants-Potential Regulatory Applications 11 Augment Cyber Risk Assessments performed by licensees via an integrated safety-security assessment Help licensees ensure security and safety systems proactively address design flaws that could be exploited by a cyber attack Help licensees ensure that safety functions and cybersecurity features do not adversely affect one another

Integrated Cybersecurity-Safety Assessment Methods for Nuclear Power Plants - Investigate Potential Use of STAMP Define the system &

Gather basic info.

Model the system, and human-machine interactions as a set of control diagrams Controller(s)

Algorithms + Processes Controlled Process(es)

Control Actions Feedback STAMP Model Analyze using CAST or STPA CAST (Retrospective)

STPA (Prospective)

OR Learn from operating experience Identify and address hazards throughout the development process Human l Machine STAMP, CAST, & STPA Note: Graphics from isa.org & itgstextbook.com and figure based on material presented by Dr. John Thomas from MIT.

Definitions:

CAST: Causal Analysis using Systems Theory STAMP: System-Theoretic Accident Model and Processes STPA: Systems-Theoretic Process Analysis 12

Investigate Use of STAMP to improve Cyber Risk Assessments Artificial Intelligence (AI)/Machine Learning (ML)

Field Programmable Gate Arrays (FPGAs)

Autonomous Control Wireless Communication Technologies Integrated Cybersecurity Research Approach 13

14