Overview of NRC Cybersecurity Program for Nuclear Surety Workshop

ML24176A028
Person / Time
Issue date:	06/24/2024
From:	Alexander Prada NRC/NSIR/DPCP/CSB
To:
References
Download: ML24176A028 (1)
v • d • e

Text

Overview of the NRC Cybersecurity Oversight Program &

Inspections

Alex Prada, Cybersecurity Specialist Cyber Security Branch (CSB)

Division of Physical & Cyber Security Policy (DPCP)

Office of Nuclear Security & Incident Response (NSIR)

1 Topics

• History of the US NRC Cyber Security Oversight Program

• 10 CFR 73.54 The Rule

• Cyber Security Plans (CSPs)

• Cyber Inspection Procedure

2 History of US NRC Cyber Security Oversight Program

PUBLIC LAW 109-58 ENERGY POLICY ACT 2005

CYBER RULE

DBT UPDATE

NRC ORDERS ISSUED 10 CFR 73.1 PHYSICAL & CYBER DBT REVISED THREATS

3 History of US NRC Cyber Security Oversight Program

CSPs CYBER SUBMITTED TO INSPECTIONS IN THE NRC THE ROP

Insp. Program Interim Milestones Inspections (Baseline) Cyber Development Inspections (MS 1 - 7 ) Program Full Implementation

2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022

Guidance Development for Industry Guidance Dev for Industry Guidance Dev for MS 1 - 7 Cyber Program Full Cyber Program Full Implementation Inspections Implementation Inspections 10 CFR 73.77 NRC CYBER PROGRAM ASSESSMENT 4

NRC Cyber Security Program

5 10 CFR Part 73

6 10 CFR 73.55 10 CFR 73.XX Physical Sec Physical Sec

10 CFR 73.1 D BT

10 CFR 73.54 Cyber Protections

SSEP Functions

SAFETY IMPORTANT-SECURITY EMERGENCY BALANCE OF TO-SAFETYPREPAREDNESSPLANT

CYBERSECURITY PROGRAM Systems Implement Apply & Personnel Evaluate & Evaluate 10 CFR 73.77 Analysis & Security Maintain Training Manage MODS Cybersec Identification Controls D-I-DProgramsCyber Risks Event Report Detection & Consequence Vulnerability Recovery of Periodic Records 7 Incident Mitigation Management Affected Review Procedures Retention Response Remediation Systems 10 CFR 73.54(a)(2) - Consequence

Protect the systems and netw orks identified [ SSEP functions] from cyber attacks that would:

(i) Adversely impact the integrity or confidentiality of data and/or software;

(ii) Deny access to systems, services, and/or data; and

(iii) Adversely impact the operation of systems, networks, and associated equipment.

8 Adverse Impact

• The term adverse impact is used in 73.54 but defined in RG 5.71.

o A direct and deleterious effect

• Loss or impairment of a function.

• Reduction in reliability, or

• In the ability to detect, delay, assess, or respond to a malevolent act, or

• In communication with offsite assistance, or

• In emergency response measures to respond to a radiological event.

9 Adverse Impact

Examples of adverse impact due to a cyber attack:

• Preventing a device from performing its designed function.

• Precluding an operator from taking appropriate action(s) based on false information.

• Causing an operator to not take action based on false information.

• Compromise configuration or data that could lead to a cyber attack.

In 2007, the Idaho National Laboratory conducted the Aurora Generator Test, which demonstrated how a cyber attack could destroy physical assets.

10 https://www.youtube.com/watch?v=fJyWngDco3g Licensing of the Cybersecurity Program

11 Hierarchy of Regulatory Instruments

Code of Federal Regulations (CFR)

(Requirements)

Cybersecurity Plan (CSP), licensing basis NRC - approved contract, legally binding document, commitments to meet the CFR (if guidance included - legally binding)

Licensee Procedures Details: how to how to meet the commitments in the CSP (if guidance included - self-imposed standard)

12 CSPs

Purpose of CSPs:

legally binding document, commitments to meet the regulations (10 CFR 73.54)

Guidance RG 5.71 & NEI 08- 09 Rev 6:

describe an acceptable method (framework) for the construct of a CSP and a cyber security program to satisfy the requirements of 10 CFR 73.54.

Licensees can develop their ow n CSP and cybersecurity program w ithout relying on approved guidance.

NRC review s and approves CSPs

13 Cyber Security Plan Template Guidance &

Addendums

• RG 5.71 Cyber Security Programs for Nuclear Facilities ML22258A204

• NEI 08- 09 Rev6 Add 1 Cyber Security Plan for Nuclear Power Reactors ML17079A423

• NEI 08-09 Rev6 Add 2 Cyber Attack Determination, Response, &

Elimination ML17236A268

• NEI 08-09 Rev6 Add 3 Systems and Services Acquisition ML17236A269

• NEI 08-09 Rev6 Add 4 Physical & Operational Environment Protection ML17236A270

• NEI 08- 09 Rev6 Add 5 Cyber Security Vulnerability & Risk Management (OUO-SRI) ML18212A282

• NEI 11-08 Guidance Submitting Security Plan Changes ML12216A19414 NEI 08-09 & RG 5.71 CSP Objectives

Defense-in-Depth

= Technical, Operational, and Management Security Controls

B B B

C B B

C

B C C C

More Less

15 Secure Secure NEI 08-09 & RG 5.71 CSP Objectives

NEI 13-10 may be used to address security controls:

• Implement the controls as w ritten in the CSP.

• Apply alternative controls.

Document the basis.

May perform & document attack tree analysis.

Must mitigate the attack vector.

• Control not applicable.

o Document attack analysis demonstrate attack vector does not exist

16 Cyber Security Event Reporting

Cyber Security Event Reporting

• Review of licensee processes and procedures to verify the licensee can meet the cyber security event reporting requirements in accordance with 10 CFR 73.77.

• Guidance RG 5.83 & NEI 15- 09

- Types of Cybersecurity events and notification timeframes.

- Notification process.

- Written follow-up reports

17 10 CFR 73.77 Cyber Security Event Notification

TIME (Hrs)

Event 1 4 8 24 Recordable

18 18 10 CFR 73.77 Cyber Security Event Notification

TIME (Hrs)

Event 1 4 8 24 Recordable

Information about observed behavior, activities, or statements related to intelligence gathering or pre-operational planning related to a cyber attack Vulnerabilities, w eaknesses, failures and deficiencies in sites cyber security program (10 CFR 73.54) are entered in the Corrective Action Program Record notifications made to the NRC subject to the provisions of 10 CFR 73.54

19 19 NRC Cybersecurity Inspections IP 71130.10

20 Cybersecurity Inspection Resources

• Inspection Procedure IP 71130.10

• Team Composition

- Qualified per IMC 1245 App C-14 NRC Lead Inspector

- 2 Regional Inspector

- 2 Cyber Security Subject Matter Experts (Contractor SMEs) NRC HQ staff 2 NRC inspector staff Contractors

- HQ staff sometimes on site

- HQ staff & SME contractors available remotely NRC staff & Contractor Support

• ~25 Inspections scheduled/year Available (remotely) to the team as/if needed

- Inspection conducted on a biennial basis for each site

21 Cybersecurity Inspections

Oversight Activity that takes 5-w eeks (non-consecutive)

Week 1 2 3 4 5

Inspection Inspection Inspection Preparation & Inspection week Report Writing Phase Coordination Coordination - Documentation (Prep Preparation & doc)

Triggering NRC Notification RFI received by RFI # 2 received by Team arrival Findings Event letter & request for the NRC the NRC conclusions information Entrance finalized (RFI) # 1 received meeting by the licensee

Task Inspectors NRC review s RFI: Ongoing review of Collect Present findings coordinate logistics sites policies, RFI 1 & 2 information to the SIF for site visit procedures, netw ork diagrams Sample selection Perform analysis Prepare report &

Clarify RFI finalized other Samples selection Document documentation Prepare Inspection Update/finalize, & Findings to finish the Plan RFI # 2 sent to the send inspection plan inspection licensee (inspection team) Significance &

enforcement Send final Interviews/activities report to schedule drafted Exit brief or licensee meeting 03.01(a) Associated Controls (1 of 2)

Control Control Name Periodicity A.4.12 Cyber Security Program Review 24 Months A.4.13 Document Control and Records Retention and Handling 12 Months A.4.13 Document Control and Records Retention and Handling 3 Years A.4.3 Defense-in -Depth Protective Strategies A.4.4 Ongoing Monitoring and Assessments Periodic A.4.4.3.1 Effectiveness Analysis 24 Months A.4.9 Evaluate and Manage Cyber Risk D.1.01 Access Control Policy and Procedures 12 Months D.1.02 Account Management 31 Days D.1.17 Wireless Access Restrictions 31 Days D.1.18 Insecure and Rogue Connections 31 Days D.2.02 Auditable Events 12 Months D.2.06 Audit Review, Analysis, and Reporting 31 Days

D.3.01 CDA, System and Communications Protection Policy and Procedures 24 Months

Implement Apply, &

23 Security Maintain Controls D-I-D 03.01(a) Associated Controls (2 of 2)

Control Control Name Periodicity D.4.1 Identification and Authentication Policies and Procedures 31 Days D.4.3 Password Requirements 92 Days D.4.6 Identifier Management 31 Days D.4.7 Authenticator Management 12 Months E.1.6 Media Sanitization and Disposal 92 Days E.3.3 Malicious Code Protection Periodic E.3.4 Monitoring Tools and Techniques 7 Days E.3.7 Software and Information Integrity 92 Days E.6 Defense-in-Depth 92 Days E.7.3 Incident Response Testing and Drills 12 Months E.8.3 Contingency Training 12 Months E.8.5 CDA Backups IAW Assessment E.9.3 Technical Training 12 Months E.10.3 Baseline Configuration 92 Days E.10.6 Access Restrictions for Change 92 Days E.10.8 Least Functionality 31 Days E.12 Evaluate and Manage Cyber Risk 92 Days Implement Apply, &

24 Security Maintain Controls D-I-D Cyber Security Branch Contact

• Alex Prada

• alexander.prada@nrc.gov

25 Questions?

26