ML24176A028: Difference between revisions
StriderTol (talk | contribs) (StriderTol Bot insert) |
StriderTol (talk | contribs) (StriderTol Bot change) |
||
| Line 18: | Line 18: | ||
Inspections | Inspections | ||
Alex Prada, Cybersecurity | Alex Prada, Cybersecurity Specialist Cyber Security Branch (CSB) | ||
Division of Physical & Cyber | Division of Physical & Cyber Security Policy (DPCP) | ||
Office of Nuclear Security & Incident Response (NSIR) | Office of Nuclear Security & Incident Response (NSIR) | ||
| Line 36: | Line 36: | ||
DBT UPDATE | DBT UPDATE | ||
NRC ORDERS ISSUED | NRC ORDERS ISSUED 10 CFR 73.1 PHYSICAL & CYBER DBT REVISED THREATS | ||
3 History of US NRC Cyber Security Oversight Program | 3 History of US NRC Cyber Security Oversight Program | ||
CSPs | CSPs CYBER SUBMITTED TO INSPECTIONS IN THE NRC THE ROP | ||
Insp. Program | Insp. Program Interim Milestones Inspections (Baseline) Cyber Development Inspections (MS 1 - 7 ) Program Full Implementation | ||
2010 | 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 | ||
Guidance Development for | Guidance Development for Industry Guidance Dev for Industry Guidance Dev for MS 1 - 7 Cyber Program Full Cyber Program Full Implementation Inspections Implementation Inspections 10 CFR 73.77 NRC CYBER PROGRAM ASSESSMENT 4 | ||
NRC Cyber Security Program | NRC Cyber Security Program | ||
5 10 CFR Part 73 | 5 10 CFR Part 73 | ||
6 10 | 6 10 CFR 73.55 10 CFR 73.XX Physical Sec Physical Sec | ||
10 | 10 CFR 73.1 D BT | ||
10 | 10 CFR 73.54 Cyber Protections | ||
SSEP Functions | SSEP Functions | ||
SAFETY | SAFETY IMPORTANT-SECURITY EMERGENCY BALANCE OF TO-SAFETYPREPAREDNESSPLANT | ||
CYBERSECURITY PROGRAM Systems | CYBERSECURITY PROGRAM Systems Implement Apply & Personnel Evaluate & Evaluate 10 CFR 73.77 Analysis & Security Maintain Training Manage MODS Cybersec Identification Controls D-I-DProgramsCyber Risks Event Report Detection & Consequence Vulnerability Recovery of Periodic Records 7 Incident Mitigation Management Affected Review Procedures Retention Response Remediation Systems 10 CFR 73.54(a)(2) - Consequence | ||
Protect the systems | Protect the systems and netw orks identified [ SSEP functions] from cyber attacks that would: | ||
(i) | (i) Adversely impact the integrity or confidentiality of data and/or software; | ||
(ii) | (ii) Deny access to systems, services, and/or data; and | ||
(iii) Adversely impact the operation of | (iii) Adversely impact the operation of systems, networks, and associated equipment. | ||
8 Adverse Impact | 8 Adverse Impact | ||
* The term adverse impact is used in 73.54 but defined in RG 5.71. | * The term adverse impact is used in 73.54 but defined in RG 5.71. | ||
o | o A direct and deleterious effect | ||
* Loss or impairment of a function. | * Loss or impairment of a function. | ||
* Reduction in reliability, or | * Reduction in reliability, or | ||
* In the ability to detect, delay, assess, or respond to a malevolent act, or | * In the ability to detect, delay, assess, or respond to a malevolent act, or | ||
* In communication with | * In communication with offsite assistance, or | ||
* In emergency response measures to respond to a | * In emergency response measures to respond to a radiological event. | ||
9 Adverse Impact | 9 Adverse Impact | ||
| Line 84: | Line 84: | ||
Examples of adverse impact due to a cyber attack: | Examples of adverse impact due to a cyber attack: | ||
* Preventing a device from performing its designed function. | * Preventing a device from performing its designed function. | ||
* Precluding an operator from taking appropriate action(s) based on | * Precluding an operator from taking appropriate action(s) based on false information. | ||
* Causing an | * Causing an operator to not take action based on false information. | ||
* Compromise configuration or data that could lead to a cyber attack. | * Compromise configuration or data that could lead to a cyber attack. | ||
In 2007, the Idaho National Laboratory conducted the Aurora Generator Test, which demonstrated how | In 2007, the Idaho National Laboratory conducted the Aurora Generator Test, which demonstrated how a cyber attack could destroy physical assets. | ||
10 | 10 https://www.youtube.com/watch?v=fJyWngDco3g Licensing of the Cybersecurity Program | ||
11 Hierarchy of Regulatory Instruments | 11 Hierarchy of Regulatory Instruments | ||
| Line 94: | Line 94: | ||
Code of Federal Regulations (CFR) | Code of Federal Regulations (CFR) | ||
(Requirements) | (Requirements) | ||
Cybersecurity Plan (CSP), licensing basis NRC - | Cybersecurity Plan (CSP), licensing basis NRC - approved contract, legally binding document, commitments to meet the CFR (if guidance included - legally binding) | ||
Licensee Procedures Details: how to how to meet the commitments in the CSP (if guidance included - | Licensee Procedures Details: how to how to meet the commitments in the CSP (if guidance included - self-imposed standard) | ||
12 CSPs | 12 CSPs | ||
Purpose of CSPs: | Purpose of CSPs: | ||
legally | legally binding document, commitments to meet the regulations (10 CFR 73.54) | ||
Guidance RG 5.71 & NEI 08- | Guidance RG 5.71 & NEI 08- 09 Rev 6: | ||
describe an acceptable method (framework) for the construct of a CSP and a cyber security program to satisfy the requirements of 10 CFR 73.54. | describe an acceptable method (framework) for the construct of a CSP and a cyber security program to satisfy the requirements of 10 CFR 73.54. | ||
Licensees can develop their ow n CSP and cybersecurity | Licensees can develop their ow n CSP and cybersecurity program w ithout relying on approved guidance. | ||
NRC review s and approves CSPs | NRC review s and approves CSPs | ||
| Line 112: | Line 112: | ||
13 Cyber Security Plan Template Guidance & | 13 Cyber Security Plan Template Guidance & | ||
Addendums | Addendums | ||
* RG 5.71 | * RG 5.71 Cyber Security Programs for Nuclear Facilities ML22258A204 | ||
* NEI 08- | * NEI 08- 09 Rev6 Add 1 Cyber Security Plan for Nuclear Power Reactors ML17079A423 | ||
* NEI 08-09 | * NEI 08-09 Rev6 Add 2 Cyber Attack Determination, Response, & | ||
Elimination ML17236A268 | Elimination ML17236A268 | ||
* NEI 08-09 | * NEI 08-09 Rev6 Add 3 Systems and Services Acquisition ML17236A269 | ||
* NEI 08-09 | * NEI 08-09 Rev6 Add 4 Physical & Operational Environment Protection ML17236A270 | ||
* NEI 08- | * NEI 08- 09 Rev6 Add 5 Cyber Security Vulnerability & Risk Management (OUO-SRI) ML18212A282 | ||
* NEI 11-08 | * NEI 11-08 Guidance Submitting Security Plan Changes ML12216A19414 NEI 08-09 & RG 5.71 CSP Objectives | ||
Defense- | Defense-in-Depth | ||
= Technical, Operational, and Management Security Controls | |||
B | B B B | ||
C | C B B | ||
C | C | ||
B C | B C C C | ||
More | More Less | ||
15 | 15 Secure Secure NEI 08-09 & RG 5.71 CSP Objectives | ||
NEI 13- | NEI 13-10 may be used to address security controls: | ||
* Implement the controls as w ritten in the CSP. | * Implement the controls as w ritten in the CSP. | ||
* Apply | * Apply alternative controls. | ||
Document the basis. | Document the basis. | ||
May perform & document attack tree analysis. | May perform & document attack tree analysis. | ||
Must mitigate the attack vector. | Must mitigate the attack vector. | ||
* Control not applicable. | * Control not applicable. | ||
o | o Document attack analysis demonstrate attack vector does not exist | ||
16 Cyber Security Event Reporting | 16 Cyber Security Event Reporting | ||
| Line 148: | Line 148: | ||
Cyber Security Event Reporting | Cyber Security Event Reporting | ||
* Review of licensee processes and procedures to verify the licensee can meet the cyber security event reporting requirements in accordance with 10 CFR 73.77. | * Review of licensee processes and procedures to verify the licensee can meet the cyber security event reporting requirements in accordance with 10 CFR 73.77. | ||
* Guidance RG 5.83 & NEI 15- | * Guidance RG 5.83 & NEI 15- 09 | ||
- Types of Cybersecurity events and notification timeframes. | |||
- Notification process. | |||
- Written follow-up reports | |||
17 10 CFR 73.77 Cyber Security Event Notification | 17 10 CFR 73.77 Cyber Security Event Notification | ||
TIME (Hrs) | TIME (Hrs) | ||
Event | Event 1 4 8 24 Recordable | ||
18 | 18 18 10 CFR 73.77 Cyber Security Event Notification | ||
TIME (Hrs) | TIME (Hrs) | ||
Event | Event 1 4 8 24 Recordable | ||
Information about observed behavior, activities, | Information about observed behavior, activities, or statements related to intelligence gathering or pre-operational planning related to a cyber attack Vulnerabilities, w eaknesses, failures and deficiencies in sites cyber security program (10 CFR 73.54) are entered in the Corrective Action Program Record notifications made to the NRC subject to the provisions of 10 CFR 73.54 | ||
19 | 19 19 NRC Cybersecurity Inspections IP 71130.10 | ||
20 Cybersecurity Inspection Resources | 20 Cybersecurity Inspection Resources | ||
* Inspection Procedure IP 71130.10 | * Inspection Procedure IP 71130.10 | ||
* Team Composition | * Team Composition | ||
- Qualified per IMC 1245 App C-14 NRC Lead Inspector | |||
- 2 Regional Inspector | |||
- 2 Cyber Security Subject Matter Experts (Contractor SMEs) NRC HQ staff 2 NRC inspector staff Contractors | |||
- HQ staff sometimes on site | |||
- HQ staff & SME contractors available remotely NRC staff & Contractor Support | |||
* | * ~25 Inspections scheduled/year Available (remotely) to the team as/if needed | ||
- Inspection conducted on a biennial basis for each site | |||
21 Cybersecurity Inspections | 21 Cybersecurity Inspections | ||
Oversight Activity | Oversight Activity that takes 5-w eeks (non-consecutive) | ||
Week | Week 1 2 3 4 5 | ||
Inspection | Inspection Inspection Inspection Preparation & Inspection week Report Writing Phase Coordination Coordination - Documentation (Prep Preparation & doc) | ||
Triggering | Triggering NRC Notification RFI received by RFI # 2 received by Team arrival Findings Event letter & request for the NRC the NRC conclusions information Entrance finalized (RFI) # 1 received meeting by the licensee | ||
Task | Task Inspectors NRC review s RFI: Ongoing review of Collect Present findings coordinate logistics sites policies, RFI 1 & 2 information to the SIF for site visit procedures, netw ork diagrams Sample selection Perform analysis Prepare report & | ||
Clarify RFI | Clarify RFI finalized other Samples selection Document documentation Prepare Inspection Update/finalize, & Findings to finish the Plan RFI # 2 sent to the send inspection plan inspection licensee (inspection team) Significance & | ||
enforcement | enforcement Send final Interviews/activities report to schedule drafted Exit brief or licensee meeting 03.01(a) Associated Controls (1 of 2) | ||
Control | Control Control Name Periodicity A.4.12 Cyber Security Program Review 24 Months A.4.13 Document Control and Records Retention and Handling 12 Months A.4.13 Document Control and Records Retention and Handling 3 Years A.4.3 Defense-in -Depth Protective Strategies A.4.4 Ongoing Monitoring and Assessments Periodic A.4.4.3.1 Effectiveness Analysis 24 Months A.4.9 Evaluate and Manage Cyber Risk D.1.01 Access Control Policy and Procedures 12 Months D.1.02 Account Management 31 Days D.1.17 Wireless Access Restrictions 31 Days D.1.18 Insecure and Rogue Connections 31 Days D.2.02 Auditable Events 12 Months D.2.06 Audit Review, Analysis, and Reporting 31 Days | ||
D.3.01 | D.3.01 CDA, System and Communications Protection Policy and Procedures 24 Months | ||
Implement | Implement Apply, & | ||
23 | 23 Security Maintain Controls D-I-D 03.01(a) Associated Controls (2 of 2) | ||
Control | Control Control Name Periodicity D.4.1 Identification and Authentication Policies and Procedures 31 Days D.4.3 Password Requirements 92 Days D.4.6 Identifier Management 31 Days D.4.7 Authenticator Management 12 Months E.1.6 Media Sanitization and Disposal 92 Days E.3.3 Malicious Code Protection Periodic E.3.4 Monitoring Tools and Techniques 7 Days E.3.7 Software and Information Integrity 92 Days E.6 Defense-in-Depth 92 Days E.7.3 Incident Response Testing and Drills 12 Months E.8.3 Contingency Training 12 Months E.8.5 CDA Backups IAW Assessment E.9.3 Technical Training 12 Months E.10.3 Baseline Configuration 92 Days E.10.6 Access Restrictions for Change 92 Days E.10.8 Least Functionality 31 Days E.12 Evaluate and Manage Cyber Risk 92 Days Implement Apply, & | ||
24 | 24 Security Maintain Controls D-I-D Cyber Security Branch Contact | ||
* Alex Prada | * Alex Prada | ||
* alexander.prada@nrc.gov | * alexander.prada@nrc.gov | ||
Latest revision as of 13:05, 4 October 2024
| ML24176A028 | |
| Person / Time | |
|---|---|
| Issue date: | 06/24/2024 |
| From: | Alexander Prada NRC/NSIR/DPCP/CSB |
| To: | |
| References | |
| Download: ML24176A028 (1) | |
Text
Overview of the NRC Cybersecurity Oversight Program &
Inspections
Alex Prada, Cybersecurity Specialist Cyber Security Branch (CSB)
Division of Physical & Cyber Security Policy (DPCP)
Office of Nuclear Security & Incident Response (NSIR)
1 Topics
- History of the US NRC Cyber Security Oversight Program
- 10 CFR 73.54 The Rule
- Cyber Security Plans (CSPs)
- Cyber Inspection Procedure
2 History of US NRC Cyber Security Oversight Program
PUBLIC LAW 109-58 ENERGY POLICY ACT 2005
CYBER RULE
DBT UPDATE
NRC ORDERS ISSUED 10 CFR 73.1 PHYSICAL & CYBER DBT REVISED THREATS
3 History of US NRC Cyber Security Oversight Program
CSPs CYBER SUBMITTED TO INSPECTIONS IN THE NRC THE ROP
Insp. Program Interim Milestones Inspections (Baseline) Cyber Development Inspections (MS 1 - 7 ) Program Full Implementation
2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022
Guidance Development for Industry Guidance Dev for Industry Guidance Dev for MS 1 - 7 Cyber Program Full Cyber Program Full Implementation Inspections Implementation Inspections 10 CFR 73.77 NRC CYBER PROGRAM ASSESSMENT 4
NRC Cyber Security Program
6 10 CFR 73.55 10 CFR 73.XX Physical Sec Physical Sec
10 CFR 73.1 D BT
10 CFR 73.54 Cyber Protections
SSEP Functions
SAFETY IMPORTANT-SECURITY EMERGENCY BALANCE OF TO-SAFETYPREPAREDNESSPLANT
CYBERSECURITY PROGRAM Systems Implement Apply & Personnel Evaluate & Evaluate 10 CFR 73.77 Analysis & Security Maintain Training Manage MODS Cybersec Identification Controls D-I-DProgramsCyber Risks Event Report Detection & Consequence Vulnerability Recovery of Periodic Records 7 Incident Mitigation Management Affected Review Procedures Retention Response Remediation Systems 10 CFR 73.54(a)(2) - Consequence
Protect the systems and netw orks identified [ SSEP functions] from cyber attacks that would:
(i) Adversely impact the integrity or confidentiality of data and/or software;
(ii) Deny access to systems, services, and/or data; and
(iii) Adversely impact the operation of systems, networks, and associated equipment.
8 Adverse Impact
- The term adverse impact is used in 73.54 but defined in RG 5.71.
o A direct and deleterious effect
- Loss or impairment of a function.
- Reduction in reliability, or
- In the ability to detect, delay, assess, or respond to a malevolent act, or
- In communication with offsite assistance, or
- In emergency response measures to respond to a radiological event.
9 Adverse Impact
Examples of adverse impact due to a cyber attack:
- Preventing a device from performing its designed function.
- Precluding an operator from taking appropriate action(s) based on false information.
- Causing an operator to not take action based on false information.
- Compromise configuration or data that could lead to a cyber attack.
In 2007, the Idaho National Laboratory conducted the Aurora Generator Test, which demonstrated how a cyber attack could destroy physical assets.
10 https://www.youtube.com/watch?v=fJyWngDco3g Licensing of the Cybersecurity Program
11 Hierarchy of Regulatory Instruments
Code of Federal Regulations (CFR)
(Requirements)
Cybersecurity Plan (CSP), licensing basis NRC - approved contract, legally binding document, commitments to meet the CFR (if guidance included - legally binding)
Licensee Procedures Details: how to how to meet the commitments in the CSP (if guidance included - self-imposed standard)
12 CSPs
Purpose of CSPs:
legally binding document, commitments to meet the regulations (10 CFR 73.54)
Guidance RG 5.71 & NEI 08- 09 Rev 6:
describe an acceptable method (framework) for the construct of a CSP and a cyber security program to satisfy the requirements of 10 CFR 73.54.
Licensees can develop their ow n CSP and cybersecurity program w ithout relying on approved guidance.
NRC review s and approves CSPs
13 Cyber Security Plan Template Guidance &
Addendums
- RG 5.71 Cyber Security Programs for Nuclear Facilities ML22258A204
- NEI 08- 09 Rev6 Add 1 Cyber Security Plan for Nuclear Power Reactors ML17079A423
- NEI 08-09 Rev6 Add 2 Cyber Attack Determination, Response, &
Elimination ML17236A268
- NEI 08-09 Rev6 Add 3 Systems and Services Acquisition ML17236A269
- NEI 08-09 Rev6 Add 4 Physical & Operational Environment Protection ML17236A270
- NEI 08- 09 Rev6 Add 5 Cyber Security Vulnerability & Risk Management (OUO-SRI) ML18212A282
- NEI 11-08 Guidance Submitting Security Plan Changes ML12216A19414 NEI 08-09 & RG 5.71 CSP Objectives
Defense-in-Depth
= Technical, Operational, and Management Security Controls
B B B
C B B
C
B C C C
More Less
15 Secure Secure NEI 08-09 & RG 5.71 CSP Objectives
NEI 13-10 may be used to address security controls:
- Implement the controls as w ritten in the CSP.
- Apply alternative controls.
Document the basis.
May perform & document attack tree analysis.
Must mitigate the attack vector.
- Control not applicable.
o Document attack analysis demonstrate attack vector does not exist
16 Cyber Security Event Reporting
Cyber Security Event Reporting
- Review of licensee processes and procedures to verify the licensee can meet the cyber security event reporting requirements in accordance with 10 CFR 73.77.
- Guidance RG 5.83 & NEI 15- 09
- Types of Cybersecurity events and notification timeframes.
- Notification process.
- Written follow-up reports
17 10 CFR 73.77 Cyber Security Event Notification
TIME (Hrs)
Event 1 4 8 24 Recordable
18 18 10 CFR 73.77 Cyber Security Event Notification
TIME (Hrs)
Event 1 4 8 24 Recordable
Information about observed behavior, activities, or statements related to intelligence gathering or pre-operational planning related to a cyber attack Vulnerabilities, w eaknesses, failures and deficiencies in sites cyber security program (10 CFR 73.54) are entered in the Corrective Action Program Record notifications made to the NRC subject to the provisions of 10 CFR 73.54
19 19 NRC Cybersecurity Inspections IP 71130.10
20 Cybersecurity Inspection Resources
- Inspection Procedure IP 71130.10
- Team Composition
- Qualified per IMC 1245 App C-14 NRC Lead Inspector
- 2 Regional Inspector
- 2 Cyber Security Subject Matter Experts (Contractor SMEs) NRC HQ staff 2 NRC inspector staff Contractors
- HQ staff sometimes on site
- HQ staff & SME contractors available remotely NRC staff & Contractor Support
- ~25 Inspections scheduled/year Available (remotely) to the team as/if needed
- Inspection conducted on a biennial basis for each site
21 Cybersecurity Inspections
Oversight Activity that takes 5-w eeks (non-consecutive)
Week 1 2 3 4 5
Inspection Inspection Inspection Preparation & Inspection week Report Writing Phase Coordination Coordination - Documentation (Prep Preparation & doc)
Triggering NRC Notification RFI received by RFI # 2 received by Team arrival Findings Event letter & request for the NRC the NRC conclusions information Entrance finalized (RFI) # 1 received meeting by the licensee
Task Inspectors NRC review s RFI: Ongoing review of Collect Present findings coordinate logistics sites policies, RFI 1 & 2 information to the SIF for site visit procedures, netw ork diagrams Sample selection Perform analysis Prepare report &
Clarify RFI finalized other Samples selection Document documentation Prepare Inspection Update/finalize, & Findings to finish the Plan RFI # 2 sent to the send inspection plan inspection licensee (inspection team) Significance &
enforcement Send final Interviews/activities report to schedule drafted Exit brief or licensee meeting 03.01(a) Associated Controls (1 of 2)
Control Control Name Periodicity A.4.12 Cyber Security Program Review 24 Months A.4.13 Document Control and Records Retention and Handling 12 Months A.4.13 Document Control and Records Retention and Handling 3 Years A.4.3 Defense-in -Depth Protective Strategies A.4.4 Ongoing Monitoring and Assessments Periodic A.4.4.3.1 Effectiveness Analysis 24 Months A.4.9 Evaluate and Manage Cyber Risk D.1.01 Access Control Policy and Procedures 12 Months D.1.02 Account Management 31 Days D.1.17 Wireless Access Restrictions 31 Days D.1.18 Insecure and Rogue Connections 31 Days D.2.02 Auditable Events 12 Months D.2.06 Audit Review, Analysis, and Reporting 31 Days
D.3.01 CDA, System and Communications Protection Policy and Procedures 24 Months
Implement Apply, &
23 Security Maintain Controls D-I-D 03.01(a) Associated Controls (2 of 2)
Control Control Name Periodicity D.4.1 Identification and Authentication Policies and Procedures 31 Days D.4.3 Password Requirements 92 Days D.4.6 Identifier Management 31 Days D.4.7 Authenticator Management 12 Months E.1.6 Media Sanitization and Disposal 92 Days E.3.3 Malicious Code Protection Periodic E.3.4 Monitoring Tools and Techniques 7 Days E.3.7 Software and Information Integrity 92 Days E.6 Defense-in-Depth 92 Days E.7.3 Incident Response Testing and Drills 12 Months E.8.3 Contingency Training 12 Months E.8.5 CDA Backups IAW Assessment E.9.3 Technical Training 12 Months E.10.3 Baseline Configuration 92 Days E.10.6 Access Restrictions for Change 92 Days E.10.8 Least Functionality 31 Days E.12 Evaluate and Manage Cyber Risk 92 Days Implement Apply, &
24 Security Maintain Controls D-I-D Cyber Security Branch Contact
- Alex Prada
- alexander.prada@nrc.gov
25 Questions?
26