ML24176A028
| ML24176A028 | |
| Person / Time | |
|---|---|
| Issue date: | 06/24/2024 |
| From: | Alexander Prada NRC/NSIR/DPCP/CSB |
| To: | |
| References | |
| Download: ML24176A028 (1) | |
Text
Alex Prada, Cybersecurity Specialist Cyber Security Branch (CSB)
Division of Physical & Cyber Security Policy (DPCP)
Office of Nuclear Security & Incident Response (NSIR)
Overview of the NRC Cybersecurity Oversight Program &
Inspections 1
Topics
- History of the US NRC Cyber Security Oversight Program
- 10 CFR 73.54 The Rule
- Cyber Security Plans (CSPs)
- Cyber Inspection Procedure 2
3 History of US NRC Cyber Security Oversight Program NRC ORDERS ISSUED PHYSICAL & CYBER THREATS PUBLIC LAW 109-58 ENERGY POLICY ACT 2005 10 CFR 73.1 DBT REVISED DBT UPDATE CYBER RULE
4 Insp. Program Development Interim Milestones Inspections (MS 1 - 7 )
Inspections (Baseline) Cyber Program Full Implementation CSPs SUBMITTED TO THE NRC Guidance Development for MS 1 - 7 10 CFR 73.77 Industry Guidance Dev for Cyber Program Full Implementation Inspections CYBER INSPECTIONS IN THE ROP Industry Guidance Dev for Cyber Program Full Implementation Inspections NRC CYBER PROGRAM ASSESSMENT 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2010 2022 History of US NRC Cyber Security Oversight Program
NRC Cyber Security Program 5
7 CYBERSECURITY PROGRAM Systems Analysis &
Identification Apply &
Maintain D-I-D Personnel Training Programs Evaluate &
Manage Cyber Risks Evaluate MODS Detection &
Incident
Response
Procedures Records Retention 10 CFR 73.77 Cybersec Event Report Implement Security Controls Consequence Mitigation Vulnerability Management Remediation Recovery of Affected Systems Periodic Review 10 CFR 73.54 Cyber Protections 10 CFR 73.55 Physical Sec 10 CFR 73.1 DBT SSEP Functions BALANCE OF PLANT EMERGENCY PREPAREDNESS SECURITY IMPORTANT-TO-SAFETY SAFETY 10 CFR 73.XX Physical Sec
Protect the systems and networks identified [SSEP functions] from cyber attacks that would:
(i) Adversely impact the integrity or confidentiality of data and/or software; (ii) Deny access to systems, services, and/or data; and (iii) Adversely impact the operation of systems, networks, and associated equipment.
10 CFR 73.54(a)(2) - Consequence 8
Adverse Impact
- The term adverse impact is used in 73.54 but defined in RG 5.71.
o A direct and deleterious effect
- Loss or impairment of a function.
- Reduction in reliability, or
- In the ability to detect, delay, assess, or respond to a malevolent act, or
- In communication with offsite assistance, or
- In emergency response measures to respond to a radiological event.
9
Adverse Impact Examples of adverse impact due to a cyber attack:
- Preventing a device from performing its designed function.
- Precluding an operator from taking appropriate action(s) based on false information.
- Causing an operator to not take action based on false information.
- Compromise configuration or data that could lead to a cyber attack.
10 In 2007, the Idaho National Laboratory conducted the Aurora Generator Test, which demonstrated how a cyber attack could destroy physical assets.
https://www.youtube.com/watch?v=fJyWngDco3g
11 Licensing of the Cybersecurity Program
Hierarchy of Regulatory Instruments 12 Code of Federal Regulations (CFR)
(Requirements)
Cybersecurity Plan (CSP), licensing basis NRC - approved contract, legally binding document, commitments to meet the CFR (if guidance included - legally binding)
Licensee Procedures Details: how to how to meet the commitments in the CSP (if guidance included - self-imposed standard)
legally binding document, commitments to meet the regulations (10 CFR 73.54)
Guidance RG 5.71 & NEI 08-09 Rev 6:
describe an acceptable method (framework) for the construct of a CSP and a cyber security program to satisfy the requirements of 10 CFR 73.54.
Licensees can develop their own CSP and cybersecurity program without relying on approved guidance.
NRC reviews and approves CSPs
Cyber Security Plan Template Guidance &
Addendums RG 5.71 Cyber Security Programs for Nuclear Facilities ML22258A204 NEI 08-09 Rev6 Add 1 Cyber Security Plan for Nuclear Power Reactors ML17079A423 NEI 08-09 Rev6 Add 2 Cyber Attack Determination, Response, &
Elimination ML17236A268 NEI 08-09 Rev6 Add 3 Systems and Services Acquisition ML17236A269 NEI 08-09 Rev6 Add 4 Physical & Operational Environment Protection ML17236A270 NEI 08-09 Rev6 Add 5 Cyber Security Vulnerability & Risk Management (OUO-SRI) ML18212A282 NEI 11-08 Guidance Submitting Security Plan Changes ML12216A194 14
15 Less Secure More Secure NEI 08-09 & RG 5.71 CSP Objectives C
C C
C B
B B
B B
B C
Defense-in-Depth
= Technical, Operational, and Management Security Controls
NEI 13-10 may be used to address security controls:
Implement the controls as written in the CSP.
Apply alternative controls.
Document the basis.
May perform & document attack tree analysis.
Must mitigate the attack vector.
Control not applicable.
o Document attack analysis demonstrate attack vector does not exist 16 NEI 08-09 & RG 5.71 CSP Objectives
Cyber Security Event Reporting Cyber Security Event Reporting Review of licensee processes and procedures to verify the licensee can meet the cyber security event reporting requirements in accordance with 10 CFR 73.77.
- Types of Cybersecurity events and notification timeframes.
- Notification process.
- Written follow-up reports 17
Event TIME (Hrs) 1 4
8 24 Recordable 10 CFR 73.77 Cyber Security Event Notification 18 18
Event TIME (Hrs) 1 4
8 24 Recordable Information about observed behavior, activities, or statements related to intelligence gathering or pre-operational planning related to a cyber attack Vulnerabilities, weaknesses, failures and deficiencies in sites cyber security program (10 CFR 73.54) are entered in the Corrective Action Program Record notifications made to the NRC subject to the provisions of 10 CFR 73.54 10 CFR 73.77 Cyber Security Event Notification 19 19
20 NRC Cybersecurity Inspections IP 71130.10
Inspection Procedure IP 71130.10 Team Composition Qualified per IMC 1245 App C-14 2 Regional Inspector 2 Cyber Security Subject Matter Experts (Contractor SMEs)
HQ staff sometimes on site HQ staff & SME contractors available remotely
- ~25 Inspections scheduled/year Inspection conducted on a biennial basis for each site NRC Lead Inspector NRC inspector 2 NRC Contractors HQ staff staff NRC staff & Contractor Support Available (remotely) to the team as/if needed Cybersecurity Inspection Resources 21
Cybersecurity Inspections Oversight Activity that takes 5-weeks (non-consecutive)
Week 1
2 3
4 5
Inspection Phase Inspection Coordination Inspection Coordination -
Preparation Preparation &
Documentation (Prep
& doc)
Inspection week Report Writing Triggering Event NRC Notification letter & request for information (RFI) # 1 received by the licensee RFI received by the NRC RFI # 2 received by the NRC Team arrival Entrance meeting Findings conclusions finalized Task Inspectors coordinate logistics for site visit Clarify RFI Prepare Inspection Plan NRC reviews RFI:
sites policies, procedures, network diagrams Samples selection RFI # 2 sent to the licensee Ongoing review of RFI 1 & 2 Sample selection finalized Update/finalize, &
send inspection plan (inspection team)
Interviews/activities schedule drafted Collect information Perform analysis Document Findings Significance &
enforcement Exit brief or meeting Present findings to the SIF Prepare report &
other documentation to finish the inspection Send final report to licensee
03.01(a) Associated Controls (1 of 2) 23 Control Control Name Periodicity A.4.12 Cyber Security Program Review 24 Months A.4.13 Document Control and Records Retention and Handling 12 Months A.4.13 Document Control and Records Retention and Handling 3 Years A.4.3 Defense-in-Depth Protective Strategies A.4.4 Ongoing Monitoring and Assessments Periodic A.4.4.3.1 Effectiveness Analysis 24 Months A.4.9 Evaluate and Manage Cyber Risk D.1.01 Access Control Policy and Procedures 12 Months D.1.02 Account Management 31 Days D.1.17 Wireless Access Restrictions 31 Days D.1.18 Insecure and Rogue Connections 31 Days D.2.02 Auditable Events 12 Months D.2.06 Audit Review, Analysis, and Reporting 31 Days D.3.01 CDA, System and Communications Protection Policy and Procedures 24 Months Apply, &
Maintain D-I-D Implement Security Controls
03.01(a) Associated Controls (2 of 2) 24 Control Control Name Periodicity D.4.1 Identification and Authentication Policies and Procedures 31 Days D.4.3 Password Requirements 92 Days D.4.6 Identifier Management 31 Days D.4.7 Authenticator Management 12 Months E.1.6 Media Sanitization and Disposal 92 Days E.3.3 Malicious Code Protection Periodic E.3.4 Monitoring Tools and Techniques 7 Days E.3.7 Software and Information Integrity 92 Days E.6 Defense-in-Depth 92 Days E.7.3 Incident Response Testing and Drills 12 Months E.8.3 Contingency Training 12 Months E.8.5 CDA Backups IAW Assessment E.9.3 Technical Training 12 Months E.10.3 Baseline Configuration 92 Days E.10.6 Access Restrictions for Change 92 Days E.10.8 Least Functionality 31 Days E.12 Evaluate and Manage Cyber Risk 92 Days Apply, &
Maintain D-I-D Implement Security Controls
Cyber Security Branch Contact Alex Prada alexander.prada@nrc.gov 25
Questions?
26