Text

U.S. Regulatory Efforts for Cybersecurity of Advanced Reactors 2024 NEI Cyber Security Implementation Workshop Advanced Reactor Cybersecurity Program Development and Considerations 24 - 27 March 2024 Note: The information and conclusions presented herein are those of the authors only and do not necessarily represent the views or positions of the US Nuclear Regulatory Commission. Neither the US Government nor any agency thereof, nor any employee, makes any warranty, expressed, or implied, or assumes any legal liability or responsibility for any third partys use of this information.

Ismael L. Garcia Senior Technical Advisor Cybersecurity and Digital Instrumentation and Control Office of Nuclear Security and Incident Response Email: Ismael.Garcia@nrc.gov 1

Draft Cybersecurity Requirements for Advanced Reactors 2

Preparing for a Wide Variety of Advanced Nuclear Technologies 3

Proposed New Cyber Requirements 4

10 CFR Part 53 development for Advanced Reactors Preliminary Proposed Rule Language Publicly Available New Cyber Requirements in Proposed Rule

Preliminary Proposed Cyber Requirements 5

Confidentiality Integrity Availability Under the 10 CFR Part 53 rulemaking, the new cybersecurity framework would ensure that digital computers, communication systems, and networks are adequately protected against cyberattacks that may result in Offsite radiation doses that endanger public health and safety.

A degradation in the physical protection of radioactive material.

Safety Security Emergency Preparedness Digital Assets Continuous monitoring and assessment Configuration management Vulnerability scans Cybersecurity event notifications Cybersecurity Program Designed in a manner that is commensurate with the potential consequences Ongoing assessment of security controls and effectiveness Defense in Depth Note: This staff-proposed rulemaking has been documented in SECY 23-0021 and is with the Commission for review. More information on the rulemaking process is available at https://www.nrc.gov/about-nrc/regulatory/rulemaking/rulemaking-process.html

Reference:

Part 73.110, "Technology-inclusive requirements for protection of digital computer and communication systems and networks, ADAMS Accession Number ML21162A093

10 CFR 73.110 Draft Regulatory Guide Concepts 6

Draft Regulatory Guide Development 7

An acceptable approach for meeting the 10 CFR 73.110 requirements Effective guidance to support a performance-based regulatory framework Leverage IAEA and IEC security approaches Note: This staff-proposed rulemaking has been documented in SECY 23-0021 and is with the Commission for review. More information on the rulemaking process is available at https://www.nrc.gov/about-nrc/regulatory/rulemaking/rulemaking-process.html.

Draft Regulatory Guide -

Three-Tier Analysis Approach 8

Facility LevelEliminate potential adversary scenarios through facility design Function LevelEliminate or mitigate attack vectors through passive cybersecurity plan and defensive cybersecurity architecture elements (e.g., data diodes)

System LevelUse active cybersecurity plan and defensive computer security architecture elements (e.g., intrusion detection systems) to protect against cyberattacks Note: This staff-proposed rulemaking has been documented in a SECY and is with the Commission for review. More information on the rulemaking process is available at https://www.nrc.gov/about-nrc/regulatory/rulemaking/rulemaking-process.html.

Future Work SECY-23-0021, Proposed Rule:

Risk-Informed, Technology-Inclusive Regulatory Framework for Advanced Reactors submitted to the Commission on March 1, 2023 for approval Continue to support draft Part 53 proposed rulemaking efforts including the cybersecurity requirements and regulatory guidance 9

10