|
|---|
Category:Report
MONTHYEARML24302A3112024-10-28028 October 2024
NEI Input on Improvements to Licensing and Oversight Programs
ML24299A2652024-10-25025 October 2024
NEI 99-02, Rev. 8, Draft Revision 8 with Tracked Changes
ML24274A3122024-09-30030 September 2024
NEI 99-01, Revision 7, Development of Emergency Action Levels for Non-Passive Reactors
ML24274A3132024-09-30030 September 2024
NEI 99-01, Revision 7, Development of Emergency Action Levels for Non-Passive Reactors Change Summary
ML24264A0182024-09-20020 September 2024
Draft Comments on NEI 99-02 Rev. 8 Draft Regulatory Assessment Performance Indicator Guideline Section 2.4 Emergency Preparedness Cornerstone, Emergency Response Organization Drill Participation Indicator
ML24184C1222024-06-30030 June 2024
NEI - an Approach for Risk-Informed Performance-Based Emergency Planning
ML23290A1252023-10-17017 October 2023
NEI - NEI 99-02, Rev. 8, Draft Regulatory Assessment Performance Indicator Guideline
ML23290A1472023-10-17017 October 2023
NEI 99-02 Rev 8 Draft 9 29 2023 Redline Version
ML23157A1062023-06-0606 June 2023
NEI 19-01, Rev 1, Safety and Economic Benefits of Accident Tolerant Fuel
ML23129A0282023-05-0202 May 2023
20230502, NEI Issues for Event Notification Implementation Workshops
ML23110A6762023-04-18018 April 2023
04-18-23_NRC_NEI 23-03 Review + Endorse
ML23138A1662023-03-24024 March 2023
Transmittal of NEI 22-05 Revision a, Technology Inclusive Risk Informed Change Evaluation (Tirice) Guidance for the Evaluation of Changes to Facilities Utilizing NEI 18-04 and NEI 21-07
ML23083B4622023-03-24024 March 2023
Transmittal of NEI 22-05 Revision a, Technology Inclusive Risk Informed Change Evaluation (Tirice) Guidance for the Evaluation of Changes to Facilities Utilizing NEI 18-04 and NEI 21-07
ML23125A3202023-03-0101 March 2023
Guidance for the Evaluation of Changes to Facilities Utilizing NEI 18-04 and NEI 21-07 Revision a 5-4-23 Tirice Response to NRC Comments
ML22298A2282022-10-25025 October 2022
NEI 15-09, Rev. 1, Cybersecurity Event Notifications
ML22297A2482022-10-20020 October 2022
NEI Comments on 10-20-2022 CCF Meeting Feedback and Comments
ML23072A0632022-09-30030 September 2022
(Draft) NEI White Paper Remediation of Vulnerabilities Identified in CDAs - 08302022R0
ML22195A1692022-07-31031 July 2022
NEI, Draft G of NEI 99-01, Development of Emergency Action Levels for Non-Passive Reactors, Revision 7 - Change Summary
ML22195A1672022-07-14014 July 2022
NEI, Draft G of NEI 99-01, Development of Emergency Action Levels for Non-Passive Reactors, Revision 7
ML22195A1682022-07-14014 July 2022
NEI, Marked-Up to Draft G of NEI 99-01, Development of Emergency Action Levels for Non-Passive Reactors, Revision 7
ML22109A2082022-04-0808 April 2022
April 8, 2022, NEI White Paper on Digital Instrumentation and Control Common Cause Policy Considerations Version 2.0
ML22048A5812022-02-16016 February 2022
NEI 22-02: Guidelines for Weather-Related Administrative Controls for Short Duration Outdoor Dry Cask Storage Operations
ML22019A2922022-01-12012 January 2022
NEI, Submittal of Proposed Revisions to Aging Management Programs XI.M33, Selective Leaching and XI.E3, Inaccessible Power Cables Not Subject to 10 CFR 50.49 Environmental Qualification Requirements
ML21343A2822021-12-31031 December 2021
Redline/Strikeout Version of NEI 21-07 Rev 0-B, Technology Inclusive Guidance for Non-Light Water Reactors Safety Analysis Report Content for Applicants Using the NEI 18-04 Methodology
ML21343A2922021-12-0808 December 2021
NEI, Transmittal of NEI 21-07 Revision 0-B, Technology Inclusive Guidance for Non-Light Water Reactor Safety Analysis Report: for Applicants Utilizing NEI 18-04 Methodology
ML21337A3802021-12-0303 December 2021
NEI Technical Report NEI 17-06 - Guidance on Using Iec 61508 SIL Certification to Support the Acceptance of Commercial Grade Digital Equipment for Nuclear Safety Related Applications, Revision 1
ML21305A0012021-11-30030 November 2021
NEI 17-06 Rev 0 Draft B, Guidance on Using Iec 61508 SIL Certification to Support the Acceptance of Commercial Grade Digital Equipment for Nuclear Safety Related Applications (Staff Comments Incorporated
ML21342A2032021-10-29029 October 2021
Letter from W. Gross to S. Atack, Endorsement of Nuclear Energy Institute 13-10, Cyber Security Control Assessments, Revision 7, Dated October 29, 2021
ML21342A1682021-10-29029 October 2021
Letter from W. Gross to S. Atack, Endorsement of Nuclear Energy Institute 10-04, Identifying Systems and Assets Subject to the Cyber Security Rule, Revision 3, Dated October 29, 2021
ML21274A0312021-10-0101 October 2021
NRC Draft Detailed Comments Related to NEI 21-07, Revision 0, Technology Inclusive Guidance for Non-Light Water Reactors Safety Analysis Report Content for Applicants Using the NEI 18-04 Methodology
ML21278A4722021-09-30030 September 2021
NEI 20-07, Rev. Draft, Guidance for Addressing Common Cause Failure in High Safety-Significant Safety-Related Digital I&C Systems
ML21257A2352021-08-19019 August 2021
Rulemaking: Proposed Rule: Advanced Reactor Physical Security, Email Exchange Between Nrc and NEI Draft Pages from NEI-20-05 Rev. E
ML21250A3782021-08-0202 August 2021
NEI 21-07, Revision 0, Technology Inclusive Guidance for Non-Light Water Reactors SAR Content for Applicants Using the NEI 18-04 Methodology
ML21130A5972021-05-31031 May 2021
NEI 20-07, Guidance for Addressing Software Common Cause Failure in High Safety-Significant Safety Related Digital I&C Systems - Draft C
ML21130A5962021-05-31031 May 2021
NEI, Guidance for Addressing Software Common Cause Failure in High Safety-Significant Safety Related Digital I&C Systems - Draft C
ML21130A5982021-05-0707 May 2021
NEI Responses to NRC Staff Comments on NEI 20-07 Draft B
ML21125A2842021-05-0505 May 2021
Transmittal of NEI 20-09: Performance of PRA Peer Reviews Using the Asme/Ans Advanced Non-Light Water Reactor Standard
ML21110A0662021-04-20020 April 2021
Nei'S Comparison Table Between NEI 20-07 Sdos and NRC RGs and Endorsed IEEE Stds R2
ML21085A5552021-03-25025 March 2021
NEI 20-09 -Performance of PRA Peer Reviews Using the Asme/Ans Advanced Non-LWR PRA Standard, March 2021
ML21089A0902021-03-18018 March 2021
NEI Comments on Renewal of Performance Indicators Information Collection, March 18, 2021
ML21049A0572021-03-0202 March 2021
Rulemaking: Proposed Rule: NRC Markup of NEI-20-05 Draft B Comments on Methodological Approach and Considerations for a Technical Analysis to Demonstrate Compliance with the Performance Criteria of 10 CFR 73.55(a)(7)
ML20339A4852020-11-23023 November 2020
NEI 20-09 - NRC Comments Resolved November 2020
ML20322A3392020-11-17017 November 2020
NEI ROP White Paper Modification of the Description of Unplanned Scrams with Complications for Nov 18 2020 ROP Public Meeting
ML21050A0902020-08-31031 August 2020
Staff Detailed Comments - NEI 20_07 Draft Revision B -February 2021
ML20245E1472020-08-31031 August 2020
Attachment 1 - NEI Guidelines for the Implementation of the Risk-Informed Process for Evaluations Integrated Decision-Making Panel
ML20245E5612020-08-31031 August 2020
Guidance for Addressing Software Common Cause Failure in High Safety-Significant Safety Related Digital I&C Systems
ML20302A1152020-08-24024 August 2020
NEI 20-09 - Nlwr PRA Peer Review Rev1 August 2020
ML20211L7142020-07-24024 July 2020
Industry Position Regarding Safety Margin: Dispositioning Degraded or Failed Management Measures Above and Beyond Regulatory Requirements, and Meeting Performance Criteria; Follow Up to May 6, 2020 Letter on Smarter Program Inspection Prior
ML20154K5662020-06-0101 June 2020
Availability of NEI 20-09, Performance of PRA Peer Reviews Using the Asme/Ans Advanced Non-LWR Standard, for NRC Review and Endorsement
ML20155K6852020-06-0101 June 2020
Availability of NEI 20-09, Performance of PRA Peer Reviews Using the Asme/Ans Advanced Non-LWR Standard, for NRC Review and Endorsement
2024-09-30
[Table view]
Category:Technical
MONTHYEARML24302A3112024-10-28028 October 2024
NEI Input on Improvements to Licensing and Oversight Programs
ML24299A2652024-10-25025 October 2024
NEI 99-02, Rev. 8, Draft Revision 8 with Tracked Changes
ML24274A3122024-09-30030 September 2024
NEI 99-01, Revision 7, Development of Emergency Action Levels for Non-Passive Reactors
ML24274A3132024-09-30030 September 2024
NEI 99-01, Revision 7, Development of Emergency Action Levels for Non-Passive Reactors Change Summary
ML24264A0182024-09-20020 September 2024
Draft Comments on NEI 99-02 Rev. 8 Draft Regulatory Assessment Performance Indicator Guideline Section 2.4 Emergency Preparedness Cornerstone, Emergency Response Organization Drill Participation Indicator
ML24184C1222024-06-30030 June 2024
NEI - an Approach for Risk-Informed Performance-Based Emergency Planning
ML23290A1252023-10-17017 October 2023
NEI - NEI 99-02, Rev. 8, Draft Regulatory Assessment Performance Indicator Guideline
ML23290A1472023-10-17017 October 2023
NEI 99-02 Rev 8 Draft 9 29 2023 Redline Version
ML23157A1062023-06-0606 June 2023
NEI 19-01, Rev 1, Safety and Economic Benefits of Accident Tolerant Fuel
ML23110A6762023-04-18018 April 2023
04-18-23_NRC_NEI 23-03 Review + Endorse
ML23138A1662023-03-24024 March 2023
Transmittal of NEI 22-05 Revision a, Technology Inclusive Risk Informed Change Evaluation (Tirice) Guidance for the Evaluation of Changes to Facilities Utilizing NEI 18-04 and NEI 21-07
ML23083B4622023-03-24024 March 2023
Transmittal of NEI 22-05 Revision a, Technology Inclusive Risk Informed Change Evaluation (Tirice) Guidance for the Evaluation of Changes to Facilities Utilizing NEI 18-04 and NEI 21-07
ML23125A3202023-03-0101 March 2023
Guidance for the Evaluation of Changes to Facilities Utilizing NEI 18-04 and NEI 21-07 Revision a 5-4-23 Tirice Response to NRC Comments
ML22298A2282022-10-25025 October 2022
NEI 15-09, Rev. 1, Cybersecurity Event Notifications
ML22195A1692022-07-31031 July 2022
NEI, Draft G of NEI 99-01, Development of Emergency Action Levels for Non-Passive Reactors, Revision 7 - Change Summary
ML22195A1672022-07-14014 July 2022
NEI, Draft G of NEI 99-01, Development of Emergency Action Levels for Non-Passive Reactors, Revision 7
ML22195A1682022-07-14014 July 2022
NEI, Marked-Up to Draft G of NEI 99-01, Development of Emergency Action Levels for Non-Passive Reactors, Revision 7
ML22048A5812022-02-16016 February 2022
NEI 22-02: Guidelines for Weather-Related Administrative Controls for Short Duration Outdoor Dry Cask Storage Operations
ML21343A2822021-12-31031 December 2021
Redline/Strikeout Version of NEI 21-07 Rev 0-B, Technology Inclusive Guidance for Non-Light Water Reactors Safety Analysis Report Content for Applicants Using the NEI 18-04 Methodology
ML21343A2922021-12-0808 December 2021
NEI, Transmittal of NEI 21-07 Revision 0-B, Technology Inclusive Guidance for Non-Light Water Reactor Safety Analysis Report: for Applicants Utilizing NEI 18-04 Methodology
ML21337A3802021-12-0303 December 2021
NEI Technical Report NEI 17-06 - Guidance on Using Iec 61508 SIL Certification to Support the Acceptance of Commercial Grade Digital Equipment for Nuclear Safety Related Applications, Revision 1
ML21305A0012021-11-30030 November 2021
NEI 17-06 Rev 0 Draft B, Guidance on Using Iec 61508 SIL Certification to Support the Acceptance of Commercial Grade Digital Equipment for Nuclear Safety Related Applications (Staff Comments Incorporated
ML21342A2032021-10-29029 October 2021
Letter from W. Gross to S. Atack, Endorsement of Nuclear Energy Institute 13-10, Cyber Security Control Assessments, Revision 7, Dated October 29, 2021
ML21342A1682021-10-29029 October 2021
Letter from W. Gross to S. Atack, Endorsement of Nuclear Energy Institute 10-04, Identifying Systems and Assets Subject to the Cyber Security Rule, Revision 3, Dated October 29, 2021
ML21274A0312021-10-0101 October 2021
NRC Draft Detailed Comments Related to NEI 21-07, Revision 0, Technology Inclusive Guidance for Non-Light Water Reactors Safety Analysis Report Content for Applicants Using the NEI 18-04 Methodology
ML21278A4722021-09-30030 September 2021
NEI 20-07, Rev. Draft, Guidance for Addressing Common Cause Failure in High Safety-Significant Safety-Related Digital I&C Systems
ML21257A2352021-08-19019 August 2021
Rulemaking: Proposed Rule: Advanced Reactor Physical Security, Email Exchange Between Nrc and NEI Draft Pages from NEI-20-05 Rev. E
ML21250A3782021-08-0202 August 2021
NEI 21-07, Revision 0, Technology Inclusive Guidance for Non-Light Water Reactors SAR Content for Applicants Using the NEI 18-04 Methodology
ML21130A5962021-05-31031 May 2021
NEI, Guidance for Addressing Software Common Cause Failure in High Safety-Significant Safety Related Digital I&C Systems - Draft C
ML21130A5972021-05-31031 May 2021
NEI 20-07, Guidance for Addressing Software Common Cause Failure in High Safety-Significant Safety Related Digital I&C Systems - Draft C
ML21125A2842021-05-0505 May 2021
Transmittal of NEI 20-09: Performance of PRA Peer Reviews Using the Asme/Ans Advanced Non-Light Water Reactor Standard
ML21110A0662021-04-20020 April 2021
Nei'S Comparison Table Between NEI 20-07 Sdos and NRC RGs and Endorsed IEEE Stds R2
ML21085A5552021-03-25025 March 2021
NEI 20-09 -Performance of PRA Peer Reviews Using the Asme/Ans Advanced Non-LWR PRA Standard, March 2021
ML21049A0572021-03-0202 March 2021
Rulemaking: Proposed Rule: NRC Markup of NEI-20-05 Draft B Comments on Methodological Approach and Considerations for a Technical Analysis to Demonstrate Compliance with the Performance Criteria of 10 CFR 73.55(a)(7)
ML20339A4852020-11-23023 November 2020
NEI 20-09 - NRC Comments Resolved November 2020
ML20322A3392020-11-17017 November 2020
NEI ROP White Paper Modification of the Description of Unplanned Scrams with Complications for Nov 18 2020 ROP Public Meeting
ML21050A0902020-08-31031 August 2020
Staff Detailed Comments - NEI 20_07 Draft Revision B -February 2021
ML20245E1472020-08-31031 August 2020
Attachment 1 - NEI Guidelines for the Implementation of the Risk-Informed Process for Evaluations Integrated Decision-Making Panel
ML20245E5612020-08-31031 August 2020
Guidance for Addressing Software Common Cause Failure in High Safety-Significant Safety Related Digital I&C Systems
ML20302A1152020-08-24024 August 2020
NEI 20-09 - Nlwr PRA Peer Review Rev1 August 2020
ML20211L7142020-07-24024 July 2020
Industry Position Regarding Safety Margin: Dispositioning Degraded or Failed Management Measures Above and Beyond Regulatory Requirements, and Meeting Performance Criteria; Follow Up to May 6, 2020 Letter on Smarter Program Inspection Prior
ML20154K5662020-06-0101 June 2020
Availability of NEI 20-09, Performance of PRA Peer Reviews Using the Asme/Ans Advanced Non-LWR Standard, for NRC Review and Endorsement
ML20155K6852020-06-0101 June 2020
Availability of NEI 20-09, Performance of PRA Peer Reviews Using the Asme/Ans Advanced Non-LWR Standard, for NRC Review and Endorsement
ML20129J8592020-05-31031 May 2020
NEI 96-07, Appendix D Revision 1, Draft M, May 2020
ML20129J8582020-05-30030 May 2020
NEI 96-07, Appendix D, Revision 1, Draft M, May 2020 with Redline Strike
ML20139A1902020-05-14014 May 2020
05-14-20 Changes to NEI 10-04 and NEI 13-10 Guidance for Identifying and Protecting Digital Assets Associated with Safety-Related and Important-to-Safety Functions
ML20134J0332020-05-13013 May 2020
Submittal of Response to Request for Additional Information (RAI) for NEI 14-05A, Revision 1, Guidelines for the Use of Accreditation in Lieu of Commercial Grade Surveys for Procurement of Laboratory Calibration and Test Services
ML20135H1682020-05-13013 May 2020
Request for NRC Endorsement of NEI 96-07, Appendix D, Rev 1
ML20126G3752020-04-30030 April 2020
NEI 96-07, Appendix D, Revision 1, Draft F, April 2020
ML20126G3742020-04-30030 April 2020
NEI 96-07, Appendix D, Revision 1, Draft F, April 2020 with Redline Strike
2024-09-30
[Table view] |
Text
1 © NEI 2018. All rights reserved.
NEI 08-09, Revision 6 Dated April 2010 Addendum 7 Dated December 2018 Addendum 7 to NEI 08-09, Revision 6 Dated April 2010 Evaluating and Documenting Use of Alternative Cyber Security Controls / Countermeasures 1 INTRODUCTION
- 1. BACKGROUND Nuclear licensees are required in accordance with Appendix A
, Section 3.1.6 of their Cyber Security Plans (CSP) to implement cyber security controls in CSP Appendices D and E for CDA
- s. Where a licensee elects to implement alternative controls/countermeasures, CSP Appendix A
, Section 3.1.6.2 establishes the requirements for evaluating and documenting the basis for the use of the alternative control s/countermeasure.
During the initial 2017-2018 NRC inspections of the full implementation of the Cyber Security Plan (CSP), Licensees' Critical Digital Asset (CDA) assessment inadequately document ed some justifications for the use of alternative cyber security controls/countermeasures under CSP Appendix A, Section 3.1.6.2 for some CDAs.
In these cases, the documented basis for applying the alternative controls/countermeasures did not provide for an independent reviewer to conclude that the alternatives mitigated the threat/attack vector the original control was intended to protect. This lack of detail complicated the ability of the NRC inspectors to determine if the applied cyber security controls failed to adequately protect the CDA from a cyber attack or if the issue was only inadequate documentation of the basis for the use of alternative controls/countermeasures.
- 2. P URPOSE This addendum documents the process and considerations associated with evaluating and documenting the use of alternative cyber security control s/countermeasures to meet the requirements of CSP Appendix A, Section 3.1.6.2
. This addendum intends to enhance clarity and consistency in nuclear licensee implementation of alternative control/countermeasure activities and support NRC oversight activities.
- 3. SCOPE The guidance in this addendum is applicable to nuclear power reactor licensees with CSP s based on the template in NEI 08-09, Revision 6, and NEI 08
-09, Revision 6, Addendum 1
. The guidance in this Addendum is applicable to assessment activities associated with CDA s performed under CSP Appendix A
, Section 3.1.6
. This guidance may be used by licensees who have used Regulatory Guide (RG) 5.71,"Cyber Security Programs for Nuclear Facilities," as a basis for their Cyber Security Plans.
NEI 08-09, R evision 6 , Appendix A
, Section 3.1.6 corresponds to NRC RG 5.71
, Section C.3.3 and Appendix A
, Section A.3.1.
- 6. Section 2 describes the Regulatory Basis for the use of alternative control s/countermeasures associated with assessments performed for CDA s. Section 3 describes an acceptable method for evaluating and documenting the basis for the use of alternative control s/countermeasures to comply with CSP Appendix A, Section 3.1.6.2
.
2 © NEI 2018. All rights reserved.
NEI 08-09, Revision 6 Dated April 2010 Addendum 7 Dated December 2018
- 4. U SE OF THIS DOCUMENT This document is intended to be a guide that details an acceptable approach for evaluating and documenting the use of alternative control s/countermeasures for CDAs to comply with CSP Appendix A, Section 3.1.6.2.
- 5. ACRONYMS The following acronyms are used in this document: CDA - Critical Digital Asset CS - Critical System CSP - Cyber Security Plan HMI - Human Machine Interface RG - Regulatory Guide SDP - Significance Determination Process
- 6. DEFINITIONS None 3 © NEI 2018. All rights reserved.
NEI 08-09, Revision 6 Dated April 2010 Addendum 7 Dated December 2018 2 REGULATORY BASIS FOR USE OF ALTERNATIVE CONTROLS/COUNTERMEASURES The NRC Inspection Procedure for Cyber Security (Reference 5), Section 71130
.10-2 provides a discussion on licensee's use of alternative controls that is consistent with the revised text in NEI 08-09, Revision 6
, CSP Appendix A, Section 3.1.6.2. An excerpt of this NRC Inspection Procedure section is restated below:
"Licensee may elect to implement the controls as specified, implement an alternative, or not implement. For situations in which an alternative control or security measure is provided as a substitute, the licensee shall provide a documented basis that confirms the alternative control mitigates the threat/attack vector the original control is intended to protect and ensures that the functions of protected assets identified by 10 CFR 73.54(b)(1) are not adversely impacted due to cyber attacks. (NEI (A.3.1.6) RG (A3.1.6))
For situations in which the licensee has determined the control is unnecessary (e.g., the threat/attack vector addressed by the control does not exist), the licensee shall provide documentation that justifies why the control is not required; and demonstrates that the threat/attack vector does not exist. (NEI (A 3.1.6) RG (A 3.1.6))
" The Cyber Security Rule requires implementation of security controls to protect the identified assets from cyber attacks (10 CFR 73.54(c)(1)). In the application of an actual Cyber Security program, a Cyber Threat/Attack vector is a mea ns, channel, mechanism, or mode that uses a specific threat/attack pathway through which a known vulnerability can be exploited, using cyber means (e.g., to cause manipulation, and/or reconfiguration, and/or alteration of the device's software and/or data), to initiate or introduce a cyber attack on a CS or a CDA (Reference 1). The NRC has defined the Threat/Attack pathways in Section 6.1 of the Cyber Security Significance Determination Process (SDP) (Reference 2). This section in the SDP provides the five threat/attack vectors and specific questions that, if answered in the affirmative, identify that the pathway could be used to stage a cyber attack on a CS/CDA.
The five threat/attack pathways described in this section are listed below:
- a. Physical access to the CDA b. Supply chain access to the CDA
- c. Portable media/device connectivity to the CDA
- d. Wired communications with the CDA
- e. Wireless communications with the CDA NEI 08-09, "Cyber Security Plan for Nuclear Power Reactors," Revision 6 (Reference 3, aka CS P) provides a defensive strategy that consists of a defensive architecture and set of security controls that are employed to mitigate vulnerabilities and potential consequences of a cyber
-attack staged through the threat/attack pathways. CSP Appendix A, Section 4.3 establishes the Defense
-In-Depth protective strategies including the site defensive architecture. CSP Appendix A, Section 3.1.6.1 4 © NEI 2018. All rights reserved.
NEI 08-09, Revision 6 Dated April 2010 Addendum 7 Dated December 2018 establishes the programmatic requirements for implementation of the Cyber Security Plan technical and operational controls.
CSP Appendix A, Section 3.1.6.2 provides the programmatic controls for use of alternative cyber security controls/countermeasures.
NEI 08-09, Revision 6, Addendum 1 (Reference
- 4) provides a revision to CSP Appendix A, Section 3.1.6.2 that aligns the evaluation of alternative counter measures CSP Appendix A, Section 3.1.6 to that required by 10 CFR 50.54(p). An excerpt of the revised CSP Appendix A, 3.1.6 is restated below:
"For CDAs, the information in Sections 3.1.3
-3.1.5 is utilized to analyze and document one or more of the following actions. NEI 13-10 may be used to satisfy the actions in 3.1.6.1.
- 1. Implementing the cyber security controls in Appendices D and E of NEI 08
-09, Revision 6. 2. Implementing alternative controls/countermeasures that mitigate the consequences of the threat/attack vector(s) associated with one or more of the cyber security controls enumerated in above by:
- a. Documenting the basis for employing alternative countermeasures.
- b. Performing and documenting the analyses of the CDA and alternative countermeasures to confirm that the countermeasures mitigate the threat/attack vector the control is intended to protect.
- c. Implementing alternative countermeasures determined in Section 3.1.
6.2.b. 3. Not implementing one or more of the cyber security controls by:
- a. Performing an analysis of the specific cyber security controls for the CDA that will not be implemented
. b. Documenting justification demonstrating the attack vector does not exist (i.e., not applicable) thereby demonstrating that those specific cyber security controls are not necessary.
"
5 © NEI 2018. All rights reserved.
NEI 08-09, Revision 6 Dated April 2010 Addendum 7 Dated December 2018 3 ALTERNATIVE
/ APPLICABILITY JUSTIFICATIONS In determining whether an alternative control/countermeasure being applied to a CDA mitigates the threat/attack vector the control is intended to protect, the evaluation should address the following elements. During an inspection, if asked to provide documentation on an alternative control implementation, the licensee should consider providing a written response that addresses the following elements:
- 1. Identify and document the basis for whether or not each of the five threat/attack pathways has threat/attack vector (s) that are applicable to the CDA. This can be accomplished through a review of the Cyber Security SDP
, Section 6.1 and using that review to answer each question (Reference 2). The questions from the Cyber Security SDP, Section 6.1 are provided below
. For an existing CDA, this part of the evaluation should already have been done for the original assessment, but the following questions may assist in providing additional detail:
- a. Physical access to the CDA. Is physical access to and manipulatio n of the CS/CDA or use of the CS/CDA's HMI possible by personnel other than those with access authorization?
- b. Supply chain access to the CDA.
Are vendor
-provided software patches and updates installed without prior validation and testing on a separate support system or test bed contrary to the licensee's CSP?
Is the CS/CDA vendor permitted to have remote access to the CS/CDA for support purposes without cyber and physical end
-point security?
Are there any system and services acquisition requirements that have not been implemented in accordance with the licensee's CSP?
- c. Portable media/device connectivity to the CDA.
Can any form or format of portable electronic storage media be connected to or mounted on a media drive and utilized by the CS/CDA?
Can any form of portable computer/intelligent device be connected to and intercommunicate with the CS/CDA?
- d. Wired communications with the CDA.
Does the CS/CDA have an enabled communications adapter with a connection to any type of local area network (LAN) or wide area network (WAN)?
Does the CS/CDA have an internal or external modem with a connection to a leased or public switched telephone network (PSTN) over which communication can transit?
6 © NEI 2018. All rights reserved.
NEI 08-09, Revision 6 Dated April 2010 Addendum 7 Dated December 2018 Does the CS/CDA have a point
-to-point (multi
-point) synchronous or asynchronous serial communications link to another computer?
- e. Wireless communications with the CDA.
Does the CS/CDA have any type of enabled wireless communications adapter (including infrared)?
- 2. Identify and explain the mitigation of the applicable threat/attack vector(s) (i.e., cyber security protection) provided by the original control that the alternative control is proposed to replace.
- 3. Explain how the alternative control/countermeasure mitigates each of the threat/attack vector(s) determined to be protected by the original control. The justification may entail a combination of an alternative countermeasure plus other controls to mitigate the threat/attack pathway.
- 4. If the alternative control/countermeasure is confirmed to mitigate each of the threat/attack vector(s) the original control is intended to protect, then the documentation should become a portion of the assessment record for the CDA.
- 5. Implement the alternative control/countermeasure per CSP Appendix A, Section 3.1.6.2.c.
In the determination whether a specific cyber security control for the CDA will not be implemented, a similar process for determining the applicable threat/attack vectors should be used. The evaluation should include the following:
- 1. Identify and document the basis for whether or not each of the five threat/attack pathways has threat/attack vector(s) that are applicable to the CDA. This can be accomplished by answering each of the questions in the Cyber Security SDP, Section 6.1. For an existing CDA, this part of the evaluation should already have been done for the original assessment, but the following items may assist in providing additional detail. 2. Identify and explain the mitigation of the applicable threat/attack vector(s) (i.e., cyber security protection) provided by the original control that the alternative control is proposed to replace.
- 3. If a threat/attack vector does not exist for a CDA, then the cyber security control that protects the non
-existing vector does not need to be implemented for the CDA.
- 4. The documentation generated for this evaluation should become a portion of the assessment record for the CDA.
7 © NEI 2018. All rights reserved.
NEI 08-09, Revision 6 Dated April 2010 Addendum 7 Dated December 2018 4 REFERENCES
- 1. Security Frequently Asked Questions (SFAQ) 16-06 , "Communications Attack Pathways," dated May 3, 2017
- 2. NRC Inspection Manual Chapter 0609, Appendix E, Part IV, "Cyber Security Significance Determination Process for Power Reactors," dated August 15, 2017.
- 3. NEI 08-09, "Cyber Security Plan for Nuclear Power Plants," Revision 6, dated April 2010
- 4. NEI 08-09, "Cyber Security Plan for Nuclear Power Plants," Revision 6, Addendum 1, dated February 2017
- 5. NRC Inspection Procedure 71130.10P, "Cyber Security," dated May 15, 2017