ML24206A213

From kanterella
Jump to navigation Jump to search
Overview of the NRC Cybersecurity Oversight Program & Inspection Common Issues - Slides
ML24206A213
Person / Time
Issue date: 07/24/2024
From: Mario Fernandez
NRC/NSIR/DPCP/CSB
To:
References
Download: ML24206A213 (12)
v  d  e


Text

Overview of the NRCs Cybersecurity Oversight Program & Inspection Common Issues Mario Fernandez, Branch Chief (Acting)

Cyber Security Branch (CSB)

Division of Physical and Cyber Security Policy (DPCP)

Office of Nuclear Security and Incident Response (NSIR)

Nuclear Regulatory Commission (NRC)

Agenda

  • NRCs Cybersecurity Branch
  • The NRC Cyber Rule and Cybersecurity Plan (CSP) Objectives
  • Inspection Common Issues and Lessons Learned
  • Key Takeaways
  • Q & A

OTHER ACTVITIES

  • International
  • Training Development
  • Bi/Trilateral
  • Research
  • New Technologies
  • Wireless Monitoring
  • Inspection Program
  • Cyber Events Assessment (CAT)
  • Inspector Training
  • Federal Partners Engagement POLICY
  • Rulemaking
  • Licensing
  • Resolve Policy Issues
  • Guidance Development &

Revisions:

  • NEI 08-09 Central focal point for planning, coordinating, and managing agency-wide activities related to cybersecurity at NRC-licensed facilities, and working closely with other federal and international agencies to address cyber-related issues of mutual interest.

CYBERSECURITY BRANCH

Licensees shall provide high assurance that digital computer and communication systems and networks associated with:

Safety-Related, Important-to-Safety, Security, &

Emergency Preparedness (SSEP) functions are adequately protected against cyber attacks Requirements for a cybersecurity program for new applicants and operating nuclear power plants Focus: Prevention of Radiological Sabotage 4

10 CFR 73.54 - Cyber Rule

1. Cybersecurity Assessment Team
1. Cybersecurity Assessment Team
2. Identify Critical Digital Assets (CDAs)
2. Identify Critical Digital Assets (CDAs)
3. Implement Defensive Architecture
3. Implement Defensive Architecture
4. Address Security Controls to CDAs per the CSP
4. Address Security Controls to CDAs per the CSP CDA CDA CDA CDA CDA CDA DA DA DA DA CDA DA CDA CDA CDA CDA CDA CDA DA DA DA DA CDA DA 5

CYBERSECURITY PROGRAM CYBERSECURITY PROGRAM Systems Analysis &

Identification Apply, & Maintain D-I-D Personnel Training Programs Evaluate & Manage Cyber Risks Evaluate MODS Detection &

Incident Response Procedures Records Retention 10 CFR 73.77 Cybersec Event Report Implement Security Controls Consequence Mitigation Vulnerability Management Remediation Recovery of Affected Systems Periodic Review NRC 10 CFR 73.54 Rule and Cybersecurity Plan (CSP) Objectives

Addressing Technical, Management, & Operational Controls and Objectives

  • Implement the controls as written
  • Apply alternative controls
  • Document the basis for:

o Using alternate countermeasures o Confirm the alternate mitigates the threat/attack vector the original control intents to protect against o Implement the alternate countermeasures and the periodicity associated with the original control

  • Control not applicable
  • Perform and document analysis
  • Document that attack vector does not exist 6

INSPECTION COMMON ISSUES AND LESSONS LEARNED

D.1.7 Unsuccessful Login Attempts & D.1.8 System Use Notification Failure to implement threshold enforcement for unsuccessful logins and failure to implement a system use notification on a IVMS switch within the licensees security system.

D.5.1 Removal of Unnecessary Services and Programs Printer used within the Security System was not hardened and had unnecessary programs installed within them. These programs included Novell/Netware networking software and AppleTalk.

D.1.4 Information Flow Enforcement A security Network Video Recorder (NVR) was moved from Level 3 to Level 2 (LAN) without changing the permissions or status of the CDA.

D.4.3 Password Requirements A CAS workstation was not enforcing password requirements and was found to have a password that was over 2 years old.

E.10.3 Baseline Configuration

  • Failure to reflect an accurate real-time baseline when compared to a documented baseline of a CAS workstation..
  • A CAS workstation was not enforcing password requirements and was found to have a password that was over 2 years old.

A.2.2.11 Use of the Corrective Action Program A Security System SIEM was out of service for a year. The site made efforts to repair the SIEM with the support of the vendor. The SIEM had reached the end of its life cycle. Review of the SIEM logs were performed manually; however, not all logs from the devices supported by the SIEM were reviewed.

E.6 Defense-in-Depth Failure to Implement Cyber Security Controls on the Security Data Management System Servers (SMDS).

Upon review of a system assessment, the NRC Inspectors determined that adverse impact to the system was not an adequate basis to NOT implement cyber security controls to the SMDS. Therefore, only physical security controls were implemented for the plant security computer system.

KEY TAKEAWAYS

  • The NRCs cybersecurity oversight framework objective is to provide reasonable assurance that digital computer and communication systems and networks associated with safety, important-to-safety, SECURITY, emergency preparedness (SSEP) and balance-of-plant functions are adequately protected against cyber attacks.
  • Licensees proper implementation of cybersecurity programs and security controls for systems that are heavily supported by vendors depend on a thorough understanding of the NRC requirements, proper documentation, and alternate solutions to meet the requirements of the regulation and their CSPs.

Questions

Retrieved from "https://kanterella.com/w/index.php?title=ML24206A213&oldid=5453461"