Text

OFFICIAL USE ONLY OFFICIAL USE ONLY NRC INTERNATIONAL MEETING

SUMMARY

Meeting

Title:

Second Cybersecurity Technical Exchange with Ukraine Meeting Dates: 12/12/2023 - 12/16/2023 Visited or Visiting Country: Poland; Participant(s):

Alex Prada Michael Brown Meeting Summary:

Two days of meetings were held between representatives of the USA (National Nuclear Security Administration (NNSA), Idaho National Laboratories (INL), and the US. Nuclear Regulatory Commission (NRC)) and the Ukraine (Energoatom (the Ukrainian nuclear operator)) to discuss a potential cyber laboratory proposal that INL had developed to enhance Energoatoms cyber analysis capabilities. This is part of an overall effort to return the Zaporizhzhia NPP back to a cyber secure state once the Ukrainians reacquire ownership of the facility.

Five potential projects were discussed including the deployment of a Security Operations Center (SOC) and what capabilities the center may need, the formation of a working group that would look at the best methods of segmenting the Information Technology (IT) and Operational Technology (OT) networks, the development of a cyber range, the identification of trusted vendors that could provide in depth cybersecurity training to Energoatom personnel, and the development of a training program that would establish an effective and risk-responsive cybersecurity culture program.

Energoatom discussed challenges they were facing that may impact the execution of these projects. The challenges included staffing challenges due to government restrictions on employee compensation, attempting to get management to invest proactively in cybersecurity measures rather than reactively after a catastrophic event has occurred, and the current political climate that may impact funding.

Results Achieved:

All parties agreed that this was another successful meeting. The five projects were discussed and agreed to by all parties. The NRC have provided continued support for these efforts, providing a unique regulatory perspective to relevant questions posed by SNRIU, the Ukrainian regulator, and Energoatom. As Ukraine continues to face both traditional and evolving threats, these joint engagements by INS and the NRC provide a significantly higher value to the Ukrainian partners and reflect our nations priorities on cybersecurity in nuclear. NNSA and Energoatom specifically thanked the NRC for providing a regulatory perspective to the questions posed by both SNRIU in the past and Energoatom in December. These perspectives will help them address and resolve potential issues that may be raised by SNRIU prior to any restart of the Zaporizhzhia NPP.

OFFICIAL USE ONLY OFFICIAL USE ONLY A path forward has now been determined and NNSA has developed a draft FY24 Engagement Plan that details how the projects will be implemented.

Pending Actions, Next Steps, and Commitments:

Once the FY24 Engagement Plan is finalized, INL will begin purchasing equipment and creating a Security Operations Center (SOC) that will be deployed to the Ukraine.

INL will also develop a detailed timeline outlining key milestones, deadlines, and phases for implementation of the SOC. The initial draft of this timeline will be produced by the end of January.

Energoatom is reviewing the draft FY24 Engagement Plan to ensure that it meets their technical requirements.

Energoatom will continue working on the needed procedures, processes, and checklists.

Energoatom will identify key Subject Matter Experts (SMEs) that will be trained in courses needed for them to operate the SOC.