ML21069A159: Difference between revisions

From kanterella
Jump to navigation Jump to search
(StriderTol Bot insert)
 
(StriderTol Bot change)
Line 16: Line 16:


=Text=
=Text=
{{#Wiki_filter:NRC Review of Draft NEI White Paper, Changes to NEI 10-04 and NEI 13-10 Guidance for Identifying and Protecting Digital Assets Associated with Security, Dated December 2020
{{#Wiki_filter:}}
# Page              White Paper Text                          Revised Text                              Comment 1  1    NEI 10-04 section 2.2, "Security        NEI 10-04 section 2.2, "Security        Revised to clarify that the physical Systems," documents the interface      Systems," documents the interface      protection program performance and integration of cyber security and  and integration of cyber security and  objectives are broader than 10 CFR physical security programs required    physical security programs required    73.55(b)(3).
to satisfy the physical protection      to satisfy the physical protection performance objectives of 10 CFR        performance objectives of 10 CFR 73.55(b). These objectives are          73.55(b). These objectives are provided in 10 CFR 73.55(b)(3),        provided in 10 CFR 73.55(b)(3),
which requires                        which requires:
2  2    10 CFR 73.54(a)(1)(ii) and (iv) require 10 CFR 73.54(a)(1)(ii) and (iv) require Revised to broaden the scope from that licensees protect against cyber    that licensees protect against cyber    security functions to safety, security, attacks for those digital and          attacks for those digital and          and emergency preparedness (SSEP communication systems and              communication systems and              functions), consistent with 10 CFR networks associated with security      networks associated with security      73.54(a)(1)(iv).
functions and support systems and      functions and support systems and equipment which, if compromised,        equipment which, if compromised, would adversely impact security        would adversely impact security functions.                              SSEP functions.
3  3    licensees are required to perform                                              The available guidance for how to an analysis                                                                    perform an analysis of security critical digital assets (CDAs) should provide a level of detail consistent with other types of CDAs.
4  5    These devices should be analyzed        These devices should be analyzed        "Security function" replaced with but need not be classified as CDAs if  but need not be classified as CDAs if  "SSEP function" consistent with the licensee analysis demonstrates      the licensee analysis demonstrates      requirements for support systems.
that a cyber attack on the device      that a cyber attack on the device cannot adversely impact a security      cannot adversely impact an SSEP function.                              security function.
Enclosure
 
5 6 10 CFR 73.55(b)(7) requires            Consistent with 10 CFR 73.54(a), 10    Revised to be consistent with the text licensees maintain an Access          CFR 73.54(b), and their CSP,          in Security Frequently Asked Authorization program in accordance    licensees are required to perform an  Question (SFAQ) 17-04, Access with 10 CFR 73.56... This would be    analysis and determine those digital  Authorization Systems, dated an adverse impact to access control    assets that, if compromised, would    January 22, 2018 (Agencywide functions.                            cause an adverse impact to SSEP        Documents Access and Management functions and thus require protection. System (ADAMS) Accession No.
10 CFR 73.55(b)(7) requires            ML18030A534, nonpublic).
licensees maintain an Access Authorization program in accordance with 10 CFR 73.56... This would be an adverse impact to access control security functions.
6 6 When analyzing digital computer                                              This section should make clear that systems, the systems and equipment                                            the list of security functions is not associated with the following security                                        exhaustive. Consistent with the functions must be protected against                                          NRCs position when it reviewed NEI adverse impact:                                                              10-04, Revision 2, Identifying Systems and Assets Subject to the Cyber Security Rule in 2012 (ADAMS Accession No. ML12198A198), digital systems and equipment used to facilitate implementation of security programs specified in 10 CFR 73.55(b) are within the scope of 10 CFR 73.54.
The list of security functions in NEI 10-04 should also include the access authorization (AA) program, as specified in 10 CFR 73.55(b)(7).
7 6 Licensees are required to identify and Licensees are required to identify and "Failure or compromise" is consistent evaluate those digital assets          evaluate those digital assets          with the definition of CDA in NEI 08-associated with Security support      associated with Security support      09, Revision 6, Cyber Security Plan 2
 
functions whose failure as the result  functions systems whose failure or    for Nuclear Power Reactors, dated of a cyber attack could result in an  compromise as the result of a cyber  April 2010 (ADAMS Accession No.
adverse impact to a Security function. attack could result in an adverse    ML101180437).
impact to an Security SSEP function.
SSEP function is consistent with the requirements for support systems in 10 CFR 73.54.
8 7 3) Analysis, including operating                                            Licensees are required by 10 CFR experience, training, and procedures                                        73.54(a)(1)(iv) to protect digital that demonstrate compensatory                                                computer and communication measures can be taken to preclude                                            systems and networks associated an adverse impact to SSEP functions,                                        with support systems and equipment are sufficient to preclude classifying                                      which, if compromised, would systems as CDAs. For example, CAS                                            adversely impact safety, security, or and SAS HVAC should be analyzed                                              emergency preparedness functions.
to determine the impact to the                                              Licensees must identify all assets security functions. If licensees have                                        associated with SSEP and support compensatory measures that can be                                            functions to ensure that licensees can taken to preclude an adverse impact                                          appropriately monitor those assets to the security function, then CAS and                                      and reevaluate their associated risk SAS HVAC need not be classified as                                          with the evolving threat environment.
a CDA.                                                                      A licensee may consider the ability to implement compensatory measures when determining what security controls to apply to the assets.
9  The current NEI 13-10 Rev. 6          The current NEI 13-10 Rev. 6          NEI 13-10, Revision 5, Cyber guidance is adequate for performing    guidance is adequate for performing  Security Control Assessments, dated a consequence analysis for security    a consequence analysis for security  February 2017 (ADAMS Accession support systems, digital tools, and    support systems, digital tools, and  No. ML17046A658), provides personnel aids to determine if they    personnel aids to determine the level licensees guidance on performing a meet the criteria for being classified of protection required for these      consequence assessment to as an indirect CDA.                    assets. if they meet the criteria for determine the level of protection a being classified as an indirect CDA. CDA requires.
3
 
10 7 [A digital device should be identified  [A digital device should be identified  The change in a) is not consistent as a Critical Digital Asset (CDA) if it as a Critical Digital Asset (CDA) if it with 10 CFR 73.54 or existing performs:]                              performs:]                              guidance, which states that licensees a) SSEP functions and, through          a) SSEP functions and, through          shall protect all digital analysis, determines a compromise      analysis, determines a or whose        computers/networks associated with would adversely impact a SSEP          compromise would adversely impact      SSEP functions. The proposed function;...                            a SSEP function;...                    change to NEI 10-04 would have licensees to perform an additional c) Support functions (e.g., primary or  c) Support functions (e.g., primary or  analysis that determines a back-up power, HVAC, fire protection,  back-up power, HVAC, fire protection,  compromise of an asset performing etc.) and, through analysis,            etc.) and, through analysis,            an SSEP function would adversely determines a compromise would          determines demonstrates a              impact the function. This additional adversely impact a SSEP function.      compromise would adversely impact      step is inconsistent with 10 CFR a SSEP function.                        73.54 and the definition of CDAs in other guidance.
11 8 Digital information systems and        Digital information systems and        As AA is a security function, applications that store or transmit    applications that store or transmit    licensees must protect digital assets personally-identifiable information    personally-identifiable information    associated with AA to meet the (PII) which is defined in NEI 03-01 as  (PII) which is defined in NEI 03-01 as  requirements of 10 CFR 73.54.
all information, unique to an          all information, unique to an individual, that is collected or        individual, that is collected or developed during the implementation    developed during the implementation of the [unescorted access              of the UAA or FFD program authorization or fitness for duty]      requirements, should must be program requirements, should be        identified as digital AA assets.
identified as digital AA assets.        Licensee analysis of digital AA Licensee analysis of digital AA        assets, used to facilitate the assets, used to facilitate the          implementation of the AA program, implementation of the AA program,      will determine if the security controls will determine if security controls are are needed to comply with 10 CFR needed to comply with 10 CFR            73.54, 10 CFR 73.55(b)(7), 10 CFR 73.55(b)(7), 10 CFR 73.56(m) and 10    73.56(m) and 10 CFR 73.56(o)
CFR 73.56(o) requirements.              requirements.
4
 
12  8  10 CFR 73.56 Compliance                  10 CFR 73.54 73.56 Compliance            Consistent with SFAQ 17-04, this Alternatives                            Alternatives                            section should make clear that licensees are protecting AA assets Licensees can comply with 10 CFR        Licensees can comply with 10 CFR        against cyber attacks in accordance 73.56(m) and 10 CFR 73.56(o)            73.54(c)(1), 10 CFR 73.56(m), and 10    with 10 CFR 73.54.
requirements                            CFR 73.56(o) requirements...
13  8  Using only printed AA records. Use of    Using only validated printed AA          PII changed to personal this option requires AA records with    records. Use of this option requires    information consistent with the terms PII and either a National Identification AA records with personal information    used in 10 CFR 73.56 and associated Number or government-issued              PII and either a National Identification guidance.
identification must be physically        Number or government-issued secured and access to those records      identification must be physically        All personal information (as defined in must be limited to authorized            secured and access to those records      10 CFR 73.56 and associated personnel only.                          must be limited to authorized            guidance) must be appropriately personnel only.                          protected, not only personal information that is additionally associated with an identification number.
14 7-12 Section 4.2, Proposed NEI 13-10                                                  The text under Section 4.2 does not Changes                                                                          consider other instances where manual verification process is used to ensure the integrity of the information that is reviewed to grant unescorted access authorization (UAA).
Additionally, in areas where manual verification is discussed, the document should describe what types of manual verification are acceptable.
15  10  Licensees that conduct an AA data        Licensees that conduct an AA data a      Revised to be consistent with the text analysis and classify their AA digital  10 CFR 73.54 analysis and classify      in SFAQ 17-04. The deleted text assets as critical digital assets        their determine that AA digital assets  applies broadly to the cyber program, (CDAs) have the option of positioning    as are critical digital assets (CDAs) 5
 
those AA digital assets on the higher  have the option of positioning those    but as written implied it applied to level(s) of protection of their        AA digital assets on the higher        specific CDAs.
defensive model (e.g., security level 3 level(s) of protection of their or 4 of their defensive architecture),  defensive model (e.g., security level 3 as described in NEI 08-09 Rev. 6,      or 4 of their defensive architecture),
section 4.3, Defense-in-Depth          as described in NEI 08-09 Rev. 6, Protective Strategies. AA assets      section 4.3, Defense-in-Depth classified as CDAs must be protected    Protective Strategies. AA assets in a manner compliant with a            classified as CDAs must be protected licensees Cyber Security Plan. When    in a manner compliant with a classified as CDAs, 10 CFR 73.54(c)    licensees Cyber Security Plan. When requires licensees to:                  classified as CDAs, 10 CFR 73.54(c)
* Implement security controls to        requires licensees to:
protect the assets identified as within
* Implement security controls to the scope of the Rule;                  protect the assets identified as within
* Apply and maintain defense-in-        the scope of the Rule; depth protective strategies;
* Apply and maintain defense-in-
* Mitigate the adverse impact of        depth protective strategies; cyber-attacks; and
* Mitigate the adverse impact of
* Ensure the functions of protected    cyber-attacks; and assets are not adversely impacted
* Ensure the functions of protected due to cyber attacks.                  assets are not adversely impacted due to cyber attacks.
16 11 To ensure AA assets and digital        To ensure AA assets and digital        Revised to use language consistent records are protected to the level of a records are protected to the level of a with SFAQ 17-04.
CDA and meet the 10 CFR 73.54(c)        CDA and meet the 10 CFR 73.54(c) requirements listed above, the          requirements listed above, the following cyber security controls must  following cyber security controls must be addressed as described in NEI 08-    be addressed as described in NEI 08-09 section 3.1.6:                      09 section 3.1.6 To meet 10 CFR 73.54, licensees must, at minimum, address the following cyber security controls, as described in NEI 08-09, for AA digital assets that have been 6
 
identified as critical digital assets:
7}}

Revision as of 00:13, 18 January 2022

Enclosure - NRC Staff Comments
ML21069A159
Person / Time
Issue date: 03/22/2021
From:
NRC/NSIR/DPCP
To:
Yip B
Shared Package
ML21069A155 List:
References
Download: ML21069A159 (7)
v  d  e


Text

Retrieved from "https://kanterella.com/w/index.php?title=ML21069A159&oldid=3398998"