ML24268A014
| ML24268A014 | |
| Person / Time | |
|---|---|
| Issue date: | 09/24/2024 |
| From: | Michael Brown NRC/NSIR/DPCP/CSB |
| To: | |
| References | |
| Download: ML24268A014 (18) | |
Text
U.S NUCLEAR REGULATORY COMMISSION (NRC)
CYBER SECURITY OVERSIGHT PROGRAM OVERVIEW FOR THE ROMANIAN REGULATORS Michael Brown Cyber Security Branch (CSB)
Division of Physical and Cyber Security Policy (DPCP)
Office of Nuclear Security and Incident Response (NSIR)
AGENDA Brief History of Cyber Security at the NRC 10 CFR 73.54 - Cyber Rule and Guidance Cyber Security Full Implementation Inspections Cyber for the AP1000 2
2002 ->
2002 ->
2001
<- 2008
<- 2008 2010 2010 2013 2013 2015 2015 2016 2016 Cyber Security Implementation Inspections Cyber Security Implementation Inspections 2017 NPP CSPs &
Implementation Schedules Approved The Cyber Rule 10 CFR 73.54 Issued 2012 2012 9/11 Terrorist Attack MS 1 - 7 Inspections NRC & Industry collaborative work on implementation guidance SFAQs, NEI 13-10, workshops, tabletops, CSP addendums Full Implementation Inspections started Overview of US NRC Cyber Security Program Cyber Security Program History 3
2009 Cyber Security Assessments NRC & Industry work to assess and address cyber security at NPPs RG 5.71 & NEI 08-09 Implementation Guidance
4 Future of US NRC Cyber Security Program 2018 2018 Baseline Inspection Program continues Baseline Inspection Program continues 2017 Full Implementation Inspections Started Full Implementation Inspections at all Licensee Sites Full Implementation Inspections Completed Biennial Baseline inspections start 2019 2019 2020 2020 2021 2021 2022 2022 4
High assurance that digital computer and communication systems and networks are adequately protected against cyber attacks Cyber Security Program Implementation Requirements at NewRx and OpRx Focus: Prevention of Radiological Sabotage 5
10 CFR 73.54 Protection of Digital Computer
& Communication Systems and Networks
- Op Rx and license applicants must have a Cyber Security Plan
- Protect digital computer and communication systems and networks associated with
- Safety, Security & Emergency Preparedness (SSEP) functions
- Support systems and equipment which, if compromised, would adversely impact SSEP functions
- Protect from cyber attacks that adversely impact
- Integrity or confidentiality of data and/or software
- Deny access to systems, services, and/or data
- Operation of systems, networks, & associated equipment 6
Generic Defensive Architecture 7
Internet Corporate Network Site Network Security /
Safety Systems One-way Deterministic Device
- Inspection Procedure IP 71130.10P
- Team Composition (4 inspectors)
- Regional Inspector Team Lead
- Regional Inspector
- 2 Cyber Security Subject Matter Experts (Contractor SMEs)
Inspectors
- The initial round of full implementation inspections were completed in 2021
- These inspections consisted of a week onsite followed by an offsite week, followed by a 2nd week onsite NRC Lead inspector NRC inspector 2 NRC Contractors HQ Support staff Available (remotely) to the team as needed Full Implementation Inspection Program 8
Inspection Procedure 71130.10P 9
Programmatic Technical Cyber security program & training Access control/media and portable device protection:
Policies & procedures, CDAs, Networks, Portable Media Devices, Controls login, authentication, wireless Attack mitigation, incident response, and contingency planning Program monitoring, assessment, configuration, and change management CDA and communications protection Protocols, passwords, shared resources, Denial-of-Service protection, digital certificates, information protection, encryption, removal of unnecessary services, OS Systems/services acquisition and supply chain protection Review changes to the cyber security plan Defense-in-depth, detection, and response Hardware configuration, intrusion detection system, malicious code protection, monitoring tools, information flow enforcement Cyber security event reporting Identification and resolution of problems 9
- Inspection Procedure IP 71130.10
- Team Composition (4 inspectors)
- Regional Inspector Team Lead
- Regional Inspector
- 2 Cyber Security Subject Matter Experts (Contractor SMEs)
Inspectors
- In 2022, the baseline inspection program was started as part of the Reactor Oversight Process (ROP). These are one-week inspections done every two years.
- We are now in the 2nd cycle of ROP inspections.
NRC Lead inspector NRC inspector 2 NRC Contractors HQ Support staff Available (remotely) to the team as needed Baseline Inspection Program 10
Inspection Procedure 71130.10 11 11
- This inspection focuses on evaluating changes to the program and to the Critical Digital Assets (CDAs)
- Systems that have been added or modified since the last inspection should be inspected.
- Team should look at, at least 3 systems to review their current implementation.
Inspection Procedure 71130.10 12 12
- Areas to be inspected:
- 3.01-Review Ongoing Monitoring and Assessment activities
- 3.02 - Verify Defense in Depth Protective Strategies
- 3.03 - Review Configuration Management and Change Control
- 3.04 - Review of Cybersecurity program
- 3.05 - Evaluation of Corrective Actions
- 3.06 - Evaluation of Performance Testing or Performance Metrics (if any)
Cyber Security During Construction
- NEI 08-09 Addendum 3 provides guidance on System and Services Acquisition (Supply Chain) and discusses some of the following:
- Maintaining custody and control of device from vendor to installation
- Many components at Vogtle were shipped without software installed and software was installed during system turnover
- Requirements for tamper proof products or tamper seal on acquired products
- Establishment of trusted distribution paths to ensure traceability
- Integration of security capabilities
- The best time to add security features is during the design and construction of a product, not as an add on after construction
- Licensee testing
- Licensee should always test products prior to installation 13
Cyber Security During Construction
- A good practice is to store safety related and important to safety CDAs in a secured storage areas prior to their installation in the plant to minimize any unauthorized access to them
- These areas should be access controlled to minimize unnecessary traffic to them 14
Cyber Security For the AP-1000
- A major difference between the AP-1000 and current nuclear fleet in the USA is the shear number and complexity of digital components
- Most of the nuclear plants in the USA were designed in the 60s and built in the 70s and 80s.
- The old nuclear fleet relied on relays, analog controllers (4-20ma),
sensors and switches for operation
- Analog equipment is typically not susceptible to cyber disruption - (e.g.
you turn a hand switch and the rods fall into the core)
- The AP 1000 relies on a digital network for communication
- Much faster and more efficient, however, more susceptible to cyber disruption 15
Picture of Current Control Room 16
Picture of AP-1000 Control Room 17
Questions 18