ML19093B030: Difference between revisions
StriderTol (talk | contribs) (Created page by program invented by StriderTol) |
StriderTol (talk | contribs) (Created page by program invented by StriderTol) |
||
| (2 intermediate revisions by the same user not shown) | |||
| Line 16: | Line 16: | ||
=Text= | =Text= | ||
{{#Wiki_filter:/RA/ | {{#Wiki_filter:April 30, 2019 MEMORANDUM TO: James Beardsley, Chief Cyber Security Branch Division of Physical and Cyber Security Policy Office of Nuclear Security and Incident Response FROM: Eric Lee, Senior Cyber Security Specialist /RA/ | ||
Cyber Security Branch Division of Physical and Cyber Security Policy Office of Nuclear Security and Incident Response | |||
**}} | ==SUBJECT:== | ||
==SUMMARY== | |||
OF CATEGORY 2 PUBLIC MEETING ON MARCH 7, 2019 WITH INDUSTRY STAKEHOLDERS AND THE NUCLEAR ENERGY INSTITUTE REGARDING NEI-PROPOSED ADDENDUM 7 TO NEI 08-09, REVISION 6 AND NEI 18-08 On March 7, 2019, the U.S. Nuclear Regulatory Commission (NRC) staff conducted a public meeting with the Nuclear Energy Institute (NEI) and other stakeholders. The purpose of the meeting was to discuss the staffs comments on the following two documents submitted by NEI for the staffs review and endorsement: | |||
* Amendment 7 to NEI 80-09 Cyber Security Plan for Nuclear Power Reactors, Revision 6 (Agencywide Documents Access and Management System (ADAMS) | |||
Accession No.: ML19058A511). | |||
* NEI 18-08, Portable Media Scanning Stations/Kiosk Cyber Security Controls Evaluation Template, Revision 0 dated August 2018 (ADAMS Accession No.: ML18255A146). | |||
The staff presented the results of their review of the NEI-submitted Amendment 7 to NEI 08-09 (ADAMS Accession No.: ML19086A043) and NEI 18-08 (ADAMS Accession No.: ML19081A048), with the following comments: | |||
: 1. Limit the scope of the amendment to those baseline security controls provided in the licensees cyber security plan that do include guidance on the implementation of alternative security controls. | |||
: 2. Eliminate any references to any documents that do not have any regulatory authority. | |||
: 3. Revise Addendum 7 to be consistent with the licensees cyber security plans, including the NRC-accepted, NEI-proposed addendums to the NEI 08-09, Revision 6. | |||
: 4. Revise the not-applicable security control discussion to focus on explaining why particular security controls are not applicable. | |||
CONTACTS: Eric Lee, NSIR/DPCP (301) 287-3461 Michael Brown, NSIR/DPCP (301) 287-3679 | |||
J. Beardsley In response, some stakeholders commented that since the use of alternative security controls provided in Section 3.1.6 Mitigation of Vulnerabilities and Application of Cyber Security Controls of NEI 08-09 applies to all the baseline security controls, the scope of this document should not be limited. Staff agrees with the comment and updated the staffs comment. The staff documented the final comments into the NEI-submitted Addendum 7 (ADAMS Accession No.: ML ML19080A152). | |||
The staff provided the following comments on NEI 18-08: | |||
: 1. Clarified that the term isolated network meant to ensure a kiosk network has no other connectivity to another network, except through a deterministic device (e.g., data diode). | |||
: 2. Clarified that supply chain controls for the kiosk should follow the guidance in NEI 08-09, Addendum 3. | |||
: 3. Clarified additional controls that were needed if a kiosk had to be run in the ADMINISTRATOR mode. | |||
: 4. Clarified what actions need to be taken if an audit processing failure occurs on the kiosk. | |||
: 5. Clarified actions to be taken for log reviews if a networked kiosk provides real-time alerts. | |||
: 6. Made some editorial comments to ensure consistent wording was used throughout the document. | |||
: 7. Clarified additional controls that needed to be implemented for controls E.3.4, Monitoring Tools and Techniques, and E.3.7, Software and Information Integrity. | |||
: 8. Clarified that kiosks located outside the protected area still need to be protected in accordance with the guidance in NEI 08-09, Addendum 4. | |||
: 9. Clarified that the guidance given under control E10.8, Least Functionality, applied to the kiosk. | |||
The staff received a number of comments on the potential for allowing bi-directional communication between a networked kiosk and a sites business network. The staff responded that they didnt feel that bi-directional communication was appropriate because it could be viewed as a data diode bypass. | |||
Staff also received questions about the potential for having a critical digital asset (CDA) on the kiosk network or for having additional cyber tools on a kiosk network (e.g., host intrusion detection, network intrusion detection). Staff responded that they felt it was acceptable to have additional cyber tools on a kiosk network and that, in general, it would not be acceptable to have CDAs also located on the kiosk network, unless the entire network was protected at the level required for the CDA. | |||
At the meeting, NEI representative stated that the NEI accepts the staffs comments provided during the public meeting and this meeting summary memorandum as the staffs comments on their two submitted documents. | |||
==Enclosure:== | |||
Attendees List | |||
ML19093B029 OFFICE DPCP/CSB DPCP/CSB DPCP/CSB NAME MBrown JBeardsley ELee DATE 4/3/19 4/17/19 4/30/19}} | |||
Latest revision as of 23:01, 19 October 2019
| ML19093B030 | |
| Person / Time | |
|---|---|
| Issue date: | 04/30/2019 |
| From: | Eric Lee NRC/NSIR/DPCP/CSB |
| To: | Jim Beardsley NRC/NSIR/DPCP/CSB |
| Brown M | |
| Shared Package | |
| ML19093B029 | List: |
| References | |
| Download: ML19093B030 (3) | |
Text
April 30, 2019 MEMORANDUM TO: James Beardsley, Chief Cyber Security Branch Division of Physical and Cyber Security Policy Office of Nuclear Security and Incident Response FROM: Eric Lee, Senior Cyber Security Specialist /RA/
Cyber Security Branch Division of Physical and Cyber Security Policy Office of Nuclear Security and Incident Response
SUBJECT:
SUMMARY
OF CATEGORY 2 PUBLIC MEETING ON MARCH 7, 2019 WITH INDUSTRY STAKEHOLDERS AND THE NUCLEAR ENERGY INSTITUTE REGARDING NEI-PROPOSED ADDENDUM 7 TO NEI 08-09, REVISION 6 AND NEI 18-08 On March 7, 2019, the U.S. Nuclear Regulatory Commission (NRC) staff conducted a public meeting with the Nuclear Energy Institute (NEI) and other stakeholders. The purpose of the meeting was to discuss the staffs comments on the following two documents submitted by NEI for the staffs review and endorsement:
- Amendment 7 to NEI 80-09 Cyber Security Plan for Nuclear Power Reactors, Revision 6 (Agencywide Documents Access and Management System (ADAMS)
Accession No.: ML19058A511).
- NEI 18-08, Portable Media Scanning Stations/Kiosk Cyber Security Controls Evaluation Template, Revision 0 dated August 2018 (ADAMS Accession No.: ML18255A146).
The staff presented the results of their review of the NEI-submitted Amendment 7 to NEI 08-09 (ADAMS Accession No.: ML19086A043) and NEI 18-08 (ADAMS Accession No.: ML19081A048), with the following comments:
- 1. Limit the scope of the amendment to those baseline security controls provided in the licensees cyber security plan that do include guidance on the implementation of alternative security controls.
- 2. Eliminate any references to any documents that do not have any regulatory authority.
- 3. Revise Addendum 7 to be consistent with the licensees cyber security plans, including the NRC-accepted, NEI-proposed addendums to the NEI 08-09, Revision 6.
- 4. Revise the not-applicable security control discussion to focus on explaining why particular security controls are not applicable.
CONTACTS: Eric Lee, NSIR/DPCP (301) 287-3461 Michael Brown, NSIR/DPCP (301) 287-3679
J. Beardsley In response, some stakeholders commented that since the use of alternative security controls provided in Section 3.1.6 Mitigation of Vulnerabilities and Application of Cyber Security Controls of NEI 08-09 applies to all the baseline security controls, the scope of this document should not be limited. Staff agrees with the comment and updated the staffs comment. The staff documented the final comments into the NEI-submitted Addendum 7 (ADAMS Accession No.: ML ML19080A152).
The staff provided the following comments on NEI 18-08:
- 1. Clarified that the term isolated network meant to ensure a kiosk network has no other connectivity to another network, except through a deterministic device (e.g., data diode).
- 2. Clarified that supply chain controls for the kiosk should follow the guidance in NEI 08-09, Addendum 3.
- 3. Clarified additional controls that were needed if a kiosk had to be run in the ADMINISTRATOR mode.
- 4. Clarified what actions need to be taken if an audit processing failure occurs on the kiosk.
- 5. Clarified actions to be taken for log reviews if a networked kiosk provides real-time alerts.
- 6. Made some editorial comments to ensure consistent wording was used throughout the document.
- 7. Clarified additional controls that needed to be implemented for controls E.3.4, Monitoring Tools and Techniques, and E.3.7, Software and Information Integrity.
- 8. Clarified that kiosks located outside the protected area still need to be protected in accordance with the guidance in NEI 08-09, Addendum 4.
- 9. Clarified that the guidance given under control E10.8, Least Functionality, applied to the kiosk.
The staff received a number of comments on the potential for allowing bi-directional communication between a networked kiosk and a sites business network. The staff responded that they didnt feel that bi-directional communication was appropriate because it could be viewed as a data diode bypass.
Staff also received questions about the potential for having a critical digital asset (CDA) on the kiosk network or for having additional cyber tools on a kiosk network (e.g., host intrusion detection, network intrusion detection). Staff responded that they felt it was acceptable to have additional cyber tools on a kiosk network and that, in general, it would not be acceptable to have CDAs also located on the kiosk network, unless the entire network was protected at the level required for the CDA.
At the meeting, NEI representative stated that the NEI accepts the staffs comments provided during the public meeting and this meeting summary memorandum as the staffs comments on their two submitted documents.
Enclosure:
Attendees List
ML19093B029 OFFICE DPCP/CSB DPCP/CSB DPCP/CSB NAME MBrown JBeardsley ELee DATE 4/3/19 4/17/19 4/30/19