ML18227A182: Difference between revisions
StriderTol (talk | contribs) (Created page by program invented by StriderTol) |
StriderTol (talk | contribs) (Created page by program invented by StriderTol) |
||
| Line 3: | Line 3: | ||
| issue date = 08/15/2018 | | issue date = 08/15/2018 | ||
| title = Draft Guidance 5061 Slides for Public Meeting | | title = Draft Guidance 5061 Slides for Public Meeting | ||
| author name = Lawson-Jenkins K | | author name = Lawson-Jenkins K | ||
| author affiliation = NRC/NSIR/DPCP/CSB | | author affiliation = NRC/NSIR/DPCP/CSB | ||
| addressee name = | | addressee name = | ||
Revision as of 23:31, 12 June 2019
| ML18227A182 | |
| Person / Time | |
|---|---|
| Issue date: | 08/15/2018 |
| From: | Kim Lawson-Jenkins NRC/NSIR/DPCP/CSB |
| To: | |
| References | |
| DG-5061, RG-5.71 | |
| Download: ML18227A182 (12) | |
Text
Revision of RG 5.71(Draft Guidance 5061)Kim Lawson
-JenkinsCyber Security BranchDivision of Physical and Cyber Security PolicyOffice of Nuclear Security and Incident Response 1
2Reasons for revising RG 5.71
- RG 5.71 released in 2010
- Since 2010-
-New NRC regulation
-Implementation of cyber security plans at licensees' plants-Milestone 1
-7 cyber security inspections
-NEI 13-10-Addendums to NEI 08
-09*Work began on DG
-5061 in spring 2016 Scope of Updates
- Clarify existing interpretation of regulations
- Based on lessons learned from Milestones 1
-7 inspections
- Changes apply going forward*New regulation since 2010
-Cyber security event notification
-53 r4*New IAEA security guidance 3
4Dependencies
- Resolution of SFAQs oDeterministic Devices oData Integrity oMoving Data Between Security Levels oTreatment of Maintenance & Test Equipment
- Outcome of 2016 Table Top Exercises oDetection Response and Elimination oMonitoring and Assessment oDrills and Exercises
- NEI 08-09 Addendums Staff Regulatory GuidanceAsset Identification associated with 10 CFR 73.54*Balance of Plant Equipment
- The importance of identifying attack surfaces and attack pathways in the analysis of digital systems 5
Staff Regulatory GuidanceProtection of digital assets 6
Staff Regulatory GuidanceProtection of digital assets
- Purpose of security controls -Control intent added to Appendices B and C
- Reducing or eliminating attack surfaces and attack pathwaysEffectiveness of security measures
- Cyber security metrics
-What is being measured?
-Why is it being measured?
-What do the metrics mean?
7 KStaff Regulatory Guidance 8The Big PictureSSEP functionsCDACDACDACDAsSecurity ControlsKnowledge of Attack Surfacesand PathwaysPerformApplied ToContinuously Monitored for EffectivenessCyber Security Plan Other Changes
- Defensive Architecture
- Glossary*References
- Appendix A (CSP template)
-only editorial changes 9 Appendices B & C (security controls) 10 DG-5061NEI 08-09Rationale for change/differenceB.1.9Previous Logon NotificationRemoved controlIntent covered in covered in logging/audit controlsB.1.11 Supervision and Review
-Access ControlRemoved controlIntent covered in covered in logging/audit controlsB.1.14 Automated LabelingRemoved controlRemoved controlIntent is covered in C.1.3 Media Labeling/MarkingB.3.5 Resource PriorityRemoved controlRemoved control Anysafety requirements for resource priority would have precedence. This control is usually applicable in the design phase of a digital device.B.3.19 Thin NodesRemoved controlRemoved controlThis control would becovered inthe B.5.1 Removal of Unnecessary Services and Programs. B.3.20Heterogeneity/DiversityRemoved controlDifferentdepending on safety or security context.B.3.21Fail in a known stateRemoved controlImportantfor security Tentative Schedule
- Public Comment Period
-60 days*Comments Resolution
-late 2018*Publication of RG 5.71 rev 1
-early 2019 11 Questions 12