ML21225A703: Difference between revisions

From kanterella
Jump to navigation Jump to search
(StriderTol Bot change)
(StriderTol Bot change)
Line 16: Line 16:


=Text=
=Text=
{{#Wiki_filter:}}
{{#Wiki_filter:Official Transcript of Proceedings NUCLEAR REGULATORY COMMISSION
 
==Title:==
33rd Regulatory Information Conference Technical Session - T9 Docket Number:    (n/a)
Location:          teleconference Date:              Tuesday, March 9, 2021 Work Order No.:    NRC-1420                        Pages 1-61 NEAL R. GROSS AND CO., INC.
Court Reporters and Transcribers 1323 Rhode Island Avenue, N.W.
Washington, D.C. 20005 (202) 234-4433
 
1 UNITED STATES OF AMERICA NUCLEAR REGULATORY COMMISSION
                              + + + + +
33RD REGULATORY INFORMATION CONFERENCE (RIC)
                              + + + + +
TECHNICAL SESSION - T9 POWER REACTOR CYBER SECURITY:
THE PRESENT AND THE FUTURE
                              + + + + +
TUESDAY, MARCH 9, 2021
                              + + + + +
The      Commission            met via      Video Teleconference, at 10:45 a.m. EST, Jim Beardsley, Chief, Cyber Security Branch, Division of Physical and Cyber Security Policy, Office of Nuclear Security and Incident Response, presiding.
PRESENT:
JIM BEARDSLEY, Chief, Cyber Security Branch, Division of Physical and Cyber Security Policy, NSIR/NRC PAUL SHANES, Professional Lead for Cyber Security and Superintending Inspector, United Kingdom Office of Nuclear Regulation NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433        WASHINGTON, D.C. 20005-3701      (202) 234-4433
 
2 JUSTIN          SIGETICH,    Director,        Systems      Engineering Division, Canadian Nuclear Safety Commission BARRY        KUEHNLE,  Critical        Infrastructure        Protection Senior        Advisor,    Office      of  Electric      Reliability, Federal Energy Regulatory Commission DAN WARNER, IT Specialist, Cyber Security Branch, Division        of  Physical      and    Cyber      Security  Policy, NSIR/NRC NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433          WASHINGTON, D.C. 20005-3701            (202) 234-4433
 
3 C-O-N-T-E-N-T-S Introduction Jim Beardsley................................4 Regulation of Cyber Security across the United Kingdom's Civil Nuclear Sector Paul Shanes..................................9 CNSC Cyber Security Program at Nuclear Power Plants: The Present and The Future Justin Sigetich.............................20 Barry Kuehnle...............................29 Question and Answer Session.......................35 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433        WASHINGTON, D.C. 20005-3701  (202) 234-4433
 
4 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433    WASHINGTON, D.C. 20005-3701  (202) 234-4433
 
5 P R O C E E D I N G S 10:45 a.m.
MR. BEARDSLEY:        Good morning, ladies and gentlemen.      Thank you for joining us for the Cyber Security 2021 RIC Session.            Today's discussion is the latest in a series of RIC sessions on NRC's Cyber Security Oversight Program.
My name is Jim Beardsley, and I'm chief of the Cyber Security Branch in the NRC's Office of Nuclear Security and Incident Response.              For today's session, I'll be joined by a group of international and interagency colleagues discussing the present and future of our respective cyber security oversight programs.      We look forward to your questions as we proceed through the agenda.
The panel members include the following.
Mr. Paul Shanes from the United Kingdom's Office of Nuclear Regulation.          Paul is a professional lead for cyber security at ONR.
We had hoped to have Mr. Justin Sigetich from the Canadian Nuclear Safety Commission, but he has not been able to connect at this point.                  If he does, we'll add Justin to the agenda.              Justin is the director of CNSC's Systems Engineering Division.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433        WASHINGTON, D.C. 20005-3701        (202) 234-4433
 
6 And last but not least, Mr. Barry Kuehnle from the US Federal Energy Regulatory Commission.
Barry is a senior level energy infrastructure and cyber security advisor at FERC.
As  we    progress        through      the  session, please feel free to enter questions into the session portal.        Our team will queue up the questions for the panel following our remarks.
At this point, we'll transition into my presentation.          I'll start out today's presentation with an update on the NRC's Cyber Security Oversight Program and then discuss the NRC's plans for the future        of  cyber    security      oversight      at  our    power reactor licensees.
I'll go to Slide 1 in my presentation.
If Slide 1 is up, I can't see it so -- okay, this slide shows the timeline for the power reactor cyber security program starting with Commission approval of our cyber security rule in 2009.                      The rule is 10 CFR 73.54.
Power reactor licensee's cyber security programs were implemented in two phases.                        The first phase,        completed    in    2012,      was      focused  on    cyber security        program    structure        and      securing  the    most NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433            WASHINGTON, D.C. 20005-3701            (202) 234-4433
 
7 significant        digital      assets          within    the      cyber security's          infrastructure,                the      licensee's infrastructure.
The staff inspected those implementations from 2013 to 2015.        Licensees completed the full cyber security        implementation,        so    they      went  from      the initial implementation to their full implementation in      2017.      And    the    staff      has      been  conducting inspections of the fully implemented programs for the past three years.
We've completed 53 inspections to date and are scheduled to complete the remaining five inspections in the first half of 2021.                          Over the course of the inspections, the staff has found, with reasonable assurance, that the licensees understand and have implemented the requirements of their cyber security programs.
In  2019    the    staff      conducted    a    self-assessment        of  the    power      reactor      cyber  security program.        The assessment included all aspects of the program        to  include      significant        stakeholder      input during multiple public meetings and other meetings with industry and internal NRC staff members.
As  a    result      of    the    assessment        and NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433          WASHINGTON, D.C. 20005-3701            (202) 234-4433
 
8 feedback from the NRC Office of Inspector General Audit of the Cyber Security Inspection Program, staff developed an action plan to evaluate opportunities for program improvement in the future.
Next slide, please.                The cyber action plan focuses on five high level areas as identified on this slide. In 2019 and 2020 the staff has focused our attention primarily on risk informing critical digital asset determination and also on the Cyber Security Inspection Oversight Program following full implementation.            The other three elements will be addressed in the near future.
In the area of critical digital asset determination,          the    staff    and      industry    initially focused        on  evaluation      and    protection        on  digital assets        in  the  areas      of    emergency        preparedness, balance        of  plant,    as  well    as    the    evaluation        of appropriate          protections        for      safety      related      and important to safety systems.
During 2020 industry and staff evaluated risk informed guidance modifications for balance of plant,        emergency      preparedness,            and    the    safety related, important to safety systems.                          Through a series of public meetings, the staff evaluated and NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433          WASHINGTON, D.C. 20005-3701              (202) 234-4433
 
9 agreed to updated industry implementation guidance.
Today, the commercial nuclear fleet is starting to implement these revisions as part of their internal          procedures.            And    the      Nuclear    Energy Institute, who maintains the guidance, is updating the overall guidance documents.                    Revisions are due to be submitted to the NRC staff for review and approval later this year.
The second step, oh, excuse me, the NRC staff is also working with industry at looking at updated        guidance      for    physical          security    digital assets.          We've  conducted        one      public    meeting      and expect        to  provide      feedback      to    industry    on    their proposed changes for guidance in that area in the near future.
In the area of inspection, the NRC staff have been developing a revision to the cyber security inspection procedure.                  The revision focuses on a shift from full implementation inspections which were primarily focused on verifying a wide variety of aspects        of  a  licensee's        implementation        and,      in detail, looking at how they have protected their digital assets.
And we intend to shift to reviewing the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433            WASHINGTON, D.C. 20005-3701            (202) 234-4433
 
10 ongoing        program    execution        of    the    cyber  security infrastructure          to    verify      that      the    programs      are, excuse me, to verify that their programs are being implemented in accordance with their cyber security commitments and their cyber security program.
The staff has completed a draft of the new inspection procedure, and that draft was loaded into      the  Agency's    document      management        system      for public viewing yesterday.              We will be hosting a public meeting in early April to discuss the draft procedure, and further information on accessing the procedure will be available as part of the public meeting announcement.            The    staff    plans        to  have  the      new procedure in place to support cyber inspections,                          the next stage of cyber inspections which will start in January of 2022.
This completes my remarks, and I'll turn the virtual podium over to Paul Shanes.
MR. SHANES:      Thank you, Jim.          Let's start by thanking everybody for the opportunity to present today and for welcoming us along to your session.
It's        really    informative.              And      it's  a    great opportunity to collaborate.                And I thought I'd start by      just    talking    around      the    regulation      of    cyber NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433            WASHINGTON, D.C. 20005-3701            (202) 234-4433
 
11 security and how it's actually active within the United Kingdom's Civil Nuclear Sector.
So  with      that      in      mind,    firstly        to introduce myself, my name is Paul Shanes.                        I'm the professional lead for cyber security within ONR with the UK Statute Regulator across the Civil Nuclear Sector.        And I oversee the specialist inspectors who look after cyber security and information assurance across the various duty holders, as we refer to them, within our regulatory terms.
Next slide, please.            If we start by just looking at the trajectory we're on in terms of signed security        regulation      within      the      UK,  what    you'll hopefully see there, if it's not too small on the screen, is that we've gone through quite a radical transformation of late, and particularly over the last decade or so.
Starting back in 2007, we were a quite prescriptive regulator.              We set out our expectations through something called the Technical Requirements Documents.        This provided guidance on appropriate security standards, procedures, and arrangements.
It wasn't intentionally prescriptive, but licensees        quite    often      referred        heavily  to      the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433          WASHINGTON, D.C. 20005-3701            (202) 234-4433
 
12 documents and the expectations contained within them.
And this led us, as an industry, down the inevitable path of prescription.
Back in 2012, we attempted to move away from this and started by setting some goals and high level        objectives    through      the    national  objectives requirements or model standards in the regulatory framework.
Unfortunately, these were quite tactical and directive in tone.            And the conditions just simply weren't        right  to      move    away      from  the    culture prescription which had become embedded as a result of the initial approach back in 2007.
So in 2010, in 2012 we attempted to move to something rather more radical and really tried to embrace outcome-focused regulation.                    We did this with a new regulatory framework known as the Security Assessment Principles.
The Security Assessment Principles are high level and principle based.                      We don't give out model        standards  or    model    expectations      but  rather place great emphasis on strategic issues that may benefit security.            We set out high level objectives and we asked duty holders to articulate to us your NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433          WASHINGTON, D.C. 20005-3701          (202) 234-4433
 
13 claims        arguments    and    evidence        approach,  how    they intend to meet those objectives.
Below the Security Assessment Principles, we also have a suite of documentation aimed at our inspectors,          technical        assessment,        and  technical inspection guides.            And those documents really aim to provide inspectors with a consistent framework from which to reach regulatory judgements.
Next slide, please.              The topic of cyber security        is  covered      in    great      detail  within      the Security          Assessment      Principles.            We  have      ten fundamental principles within our expectations, and each of them tackles a different facet of security.
Within    Fundamental          Principle  Number        7 there are five security deliverable principle areas that        we    expect    our    duty      holders      to  achieve.
Basically, you can't see them on the screen there.
They revolve around effective cyber and information risk management, the exception of information through effective information security, protection of nuclear technology and operation with physical protection of information, and the preparation for and response to cyber security incidents.
And the key shift in our transition to NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433            WASHINGTON, D.C. 20005-3701            (202) 234-4433
 
14 the Security Assessment Principles is an emphasis that      duty  holders      must    maintain        effective    cyber security        information      assurance          arrangements      that integrate technical and procedural controls.                        So as we say on the slide there, good cyber security is not simply about good cyber security.
And what do I mean by that?                If we look at the next slide, what we often find when we're going out      and  doing    our    inspections          and  intervention activity is that when we identify cyber security vulnerabilities and issues, they don't solely relate to tactical or technical measures.                      More often than not,      they  can  be    drawn      back      through  root    cause analysis to more strategic enablers and high level facets of security.
So what you can see on the screen there are the ten fundamental principles that we, as a regulator, expect of duty holder community.                        On the left hand side, you'll see a series of five principles listed as strategic enablers.                And on the right, those that are more distinct in tone, the secure operations.
So    on    the    right,        you  have  physical protection,              cyber            security,            workforce trustworthiness, sometimes referred to as vetting, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433          WASHINGTON, D.C. 20005-3701            (202) 234-4433
 
15 policing and guarding, and emergency preparedness and response. These are all disciplined operations where we expect certain things of our duty holders.
But on the left hand side, you will see those        higher  level    and    more      strategic  enabling aspects of security which, as I mentioned earlier, are quite often at the root cause of regulatory challenges that we face.
And what we found in our transition to outcome-focused regulation is, by placing a greater onus on emphasis with our duty holders on ensuring that      they  have    absolute        clarity      that  they      are responsible        for      the      leadership,        design,      and implementation          of      effective          security,    that's required        a tremendous      amount        of  upscaling    and      a greater understanding of the risks that they face and the ways in which they need to mitigate against that.
So rather than, historically, ONR as the regulator simply setting out our expectations for security, we're now in a position where we set out high level expectations.                And we require the duty holder community to understand and really get to grips with the challenges that they face and then articulate to us how they are going to deliver against those NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433          WASHINGTON, D.C. 20005-3701            (202) 234-4433
 
16 expectations in an effective manner.
We'll quite often find, when we do our intervention activity, that those fundamental areas around effective leadership, the culture within an organization,          or    the    competence          of  the    staff undertaking the activities, are the areas where we really        get  most    benefit      in    terms      of  regulatory engagement as opposed to that's where we were before, focusing on more technical and tactical matters on the      coalface.
Next  slide,      please.          So  for  me,      the Security Assessment Principles really take us back to basics.        We have a variety of overarching key security principles          that  govern      everything        we  do,  whether that's          cyber    security,        personnel        security,        or physical          security,    terms    you'll        be  familiar      with around          secure    (audio        interference)          design      and appropriate use of threat intelligence information, a graded approach to the way in which we operate, categorizing and classifying information and assets in order to prioritize the protection against them, and      an    overarching      onus      upon      defense    in    depth arrangements.
So we'd expect our duty holders within NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433            WASHINGTON, D.C. 20005-3701              (202) 234-4433
 
17 cyber security and information assurance arrangements to do exactly the same thing and follow the exact same process they do for other assets of security.
First and foremost, we expect them to categorize their assets.              They can do this in one of two      ways.      And    there's      a  significant      amount      of guidance available, but there simply isn't the time to go into detail today.
Firstly, they can classify information that they hold in line with the UK's government security classification scale.                  And that will give it a    classification        along      with      any  other  critical infrastructure in the UK.                  Alternatively, if we're talking          about      operational            technology,        then information is categorized.                And it's categorized as either        critical,    major,      significant,      or    minor, depending upon the impact of failure.
Once you categorize assets, when we want to      determine      an    appropriate          outcome,    there's        a methodology we follow within our Security Assessment Principles that articulates how to do that.
And the outcome will vary depending upon the categorization of the assets.                      So again, really using a graded approach as to whether we require NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433            WASHINGTON, D.C. 20005-3701          (202) 234-4433
 
18 complete confidence in the arrangements to protect and safeguard information, all the assets involved, or whether it's simply a case of identifying that something untoward has happened.
Finally, an appropriate posture will be set.          And that    posture      will      again    depend      on    a combination of the categorization of the assets and the required outcome.                And that really enables a proportions approach to the way in which we regulate.
Next    slide,      please.          So  in    a    non-prescriptive        world,      we're    often      asked  how    do    we identify what good looks like.                      And it's a really challenging question, particularly when you've been used to a very prescriptive approach in the past.
Well,    we    turn      to      something      called relevant good practice.                And there are different standards of relevant good practice out there from a regulatory perspective.
There are defined standards that exist, so      legislation,      regulations,            orders,    and      our overarching        nuclear      industry      security      regulations which really govern everything we do and give us the legal power to actually carry out our regulatory activity.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433          WASHINGTON, D.C. 20005-3701              (202) 234-4433
 
19 Those      sets      of    good      practice      and expectations          really      hold    the      highest    level      of expectation.            We even have established standards.
These are typically internationally recognized codes of    practices.          They    can    be    internal    within      our organization,          so    they    could      be    our  expectations within        our  own    security      and      safety    assessments principles.          But equally, they could be expectations set      out    by    national        technical        authorities        or international standards organizations.
And then finally, where no such standards exist, we look to interpretive standards.                        And these are standards which are not published or available greatly across the flow but are examples of the performance needed to meet uncertain expectation.
And sometimes the industry will actually come together in working groups and forums to identify what it looks like, where it doesn't exist in a particular standard or arrangement.
Next slide, please.                  So what have we found in our time as we've transitioned from a more prescriptive to an outcome-focused approach?                          Well, both      positive      and    challenging          aspects,    if    we're honest.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433            WASHINGTON, D.C. 20005-3701            (202) 234-4433
 
20 In terms of benefits, we found we've got a far greater interaction now with our colleagues in safety.            Our    outcome-focused              approach    is      now consistent with that that has already been in place with our very mature safety regulatory approach.
And we found that there's an enhanced senior        level  of    understanding          across    the    sector.
It's much easier to articulate to a Board within a duty      holder    organization        the    challenges      that      are being faced, particularly when you've gone through a process of understanding and articulating the risk that exists.
The transfer of ownership from us as the regulator to our licensees or our duty holders has been something that's been particularly important.
In a world where we set out a very prescriptive approach, we believe we carry a significant amount of risk in doing so.
The move to outcome-focused regulation really puts decision making in the hands of those that      it    should    be    invested        in,    which    are      the licensees, the operators, who should be best placed to      make      decisions      around      the      adequacy    of      the arrangements that they have with oversight from the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433            WASHINGTON, D.C. 20005-3701              (202) 234-4433
 
21 process to regulator.
There's      been      significant        amounts        of upscaling and professionalization, particularly in terms of within ONR as the regulator.                    We've placed significant amounts of onus on ensuring that we have the right people in the right place to undertake our regulatory activity.
And it's now at a far greater level of flexibility and adaptiveness.                    We've been able to focus and target our regulatory activity where we perceive      there  to    be    greatest        risk  rather      than historically where we actually just followed multi-trends across the sector and conducted the same work.
It hasn't all been perfect though.                We've had a significant amount of challenges along the way.
The      span  and  complexity        of    the    change  has    been significant.          And      we    have      had    a  culture        of prescription, which has been embedded previously, which has been difficult to overcome.
It  has    been    difficult      to  convey      this change and the perceived benefits across the sector in an effective manner.            And it has taken a fair bit of resource on engagement in order to do that but one which we feel has been justified.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433        WASHINGTON, D.C. 20005-3701            (202) 234-4433
 
22 Training and education's been absolutely key.      I mentioned that we've upscaled our own staff, particularly around cyber security, in order to carry out effective regulation.                But the journey for many of our duty holders has been ongoing and is one that we're having to support them with so that we don't end up with a complete imbalance between the regulated entities and the regulator.
And of course, as all of you will be familiar with on this call, cyber security scales remain in very short supply globally.                      And so it can be a real challenge to attract and maintain the right people within the organizations to drive this level of change through.
So I think I'll conclude with my remarks there on the final slide. And I'll take questions at the end during the panel session.                        Thank you very much for your attention. I'm now going to hand over, I believe he's joined, to Justin.                    Thank you.
MR. SIGETICH:            Good morning, everyone.
First I'd like to take the opportunity to thank you, to    have    the  opportunity        to    speak      today  at    this conference.        I think this is an excellent opportunity to be able to share our experience from Canada with NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433          WASHINGTON, D.C. 20005-3701            (202) 234-4433
 
23 you.
My  name    is    Justin      Sigetich,    I'm      the director of the Systems Engineering Division at the Canadian Nuclear Safety Commission, the CNSC.                          And I'll be talking with you this morning about the CNSC's regulation of cyber security at nuclear power plants.
Next slide, please.            This slide provides an    overview  of  the    subjects        I'll    cover  in    this presentation.      But instead of reviewing this, I'll jump right into it.
Next slide, please.              Here's an overview of the main gate of the Canadian Nuclear Safety Commission for those of you who are not familiar with us. I will not delve into any detail here other than to state that the CNSC is Canada's nuclear regulator.
And we regulate the use of nuclear energy and nuclear materials in Canada.
Next  slide,      please.        The  CNSC    has      a regulatory      framework      that    provides      us  the    legal authority to perform our regulatory work.                  The CNSC's regulatory framework consists of acts, regulations, licenses,      and    regulatory        documents.          Acts      and regulations are passed by the Canadian Parliament and create overarching requirements for the CNSC and for NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433        WASHINGTON, D.C. 20005-3701            (202) 234-4433
 
24 the nuclear industry.
Licenses      and    regulatory        documents      are issued        by  the  CNSC    and    specify      requirements        and guidance          for  the    industry        and      requirements        and guidance for specific licensees.                    Please note that we refer        to  the  organizations        that      operate  licensed facilities as licensees.
Next slide, please.            This slide outlines, in    general,      the  relevant      sections        of  the    CNSC's regulatory framework that are applicable to cyber security.          First, the general nuclear safety and control regulations require these licensees to take reasonable precautions to maintain the security of nuclear facilities and of nuclear substances.
Next, the nuclear security regulations provide        requirements      that    are      mostly    specific        to physical protection but have applicability to cyber security.          These regulations are currently in the process of being updated to include specific cyber security requirements.
The        CNSC        regulatory          document, REGDOC-2.5.2, which is entitled the Design of Reactor Facilities, Nuclear Power Plants, includes high level requirements and guidance for cyber security for the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433            WASHINGTON, D.C. 20005-3701              (202) 234-4433
 
25 design        of  nuclear    power      plants.          This  document applies        to  new  reactor      facilities,        and  it    also provides guidance for existing nuclear power plants.
Finally, licenses and License Condition Handbooks, which we call LCHs, provide the most site-specific requirements and guidance to each licensee.
The general purpose of these LCHs is for each licensed condition in the license to clarify the regulatory requirements          by    documenting          specific      compliance criteria and guidance.
The license condition that's applicable for cyber security for nuclear power plants is quite broad.          It reads that the licensee shall implement and maintain a security program.                      And we interpret the phrase security program to include both a physical security program and a cyber security program.                            And that      interpretation        is  clarified        in  each  of    the nuclear power plant's License Commission Handbook.
On the next slide, I'll talk about the history of the CNSC's regulation of cyber security.
So we can go onto the next slide, please.
The  CNSC      officially          began  regulating cyber security in 2008.              At that time, the CNSC sent a letter to all nuclear power plant licensees stating NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433          WASHINGTON, D.C. 20005-3701            (202) 234-4433
 
26 our        regulatory        position        and        outlining        our requirements and guidance for their cyber security programs.
The    CNSC    required        all    licensees        to conduct a self-assessment, then develop and implement a      comprehensive        cyber      security        program.        The expectations were based on international documents that were available at that time.                            For example, documents          from    the    International          Atomic    Energy Agency, the IAEA, the Nuclear Energy Institute, and the US Nuclear Regulatory Commission were referenced.
The CNSC inspections of these cyber security programs will be discussed in a future slide.
Next slide, please.                In 2012, the CSA Group        was  asked    to    develop      a    standard    on    cyber security on behalf of the nuclear industry in Canada.
Representatives from the CNSC, from the nuclear power plant          licensees,      and    from        other    stakeholders participated in developing CSA N290.7-14 which is entitled Cyber Security for Nuclear Power Plants and Small        Reactor    Facilities.              This    document      was published in 2015.
The cyber security standard covers the cyber security of new and existing nuclear power NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433            WASHINGTON, D.C. 20005-3701            (202) 234-4433
 
27 plants and small reactor facilities.                        This document states        that,  using      the    created        approach,        the requirements          can    be    applied        to    other    nuclear facilities.
For your reference, the use of a created approach means basically that the scope of actions necessary        to  comply      with    the      requirements        are commensurate with the relative risks and particular characteristics of the nuclear facility.
This CSA standard also specifies that cyber security controls are to be selected based on the classification of each cyber-essential asset in the      facility    after      assessing        the    asset's    safety significance and its vulnerability.
Now,    that's      another        buzz    word,    so    a cyber-essential          asset    is    defined        as    basically      an electronic device that has an impact on the functions important        to  nuclear      safety,        nuclear      security, emergency preparedness, or safeguards functions.
The CNSC incorporated the CSA N290.7-14 standard into its regulatory framework and provided the      nuclear    power    plant      licensees        with  time      to implement        programs      in    accordance          with    this      new standard.        As of the end of 2020, all nuclear power NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433            WASHINGTON, D.C. 20005-3701              (202) 234-4433
 
28 plant licensees had informed the CNSC that their cyber security        programs    are    in    accordance      with    their standard.
Next slide, please.              As for our future plans, the CSA Group is in the process of updating N290.7 to incorporate the lessons learned by the CNSC and by the licensees over the past five years.                        The revision project will also take into consideration new best practices as suggested by recent documents published by the IAEA and other international bodies.
Further, the title of the standard may be changed        to  reflect      an    increased      scope  for      the standard.        Instead of referring to nuclear power plants and small reactor facilities, the new standard may be titled Cyber Security for Nuclear Power Plants and      Nuclear Facilities.
This change in scope could help apply the Canadian cyber security requirements and guidance to nuclear facilities that do not house reactors.                        The current plan is to publish a new version of the cyber security standard in March of 2022.
Next slide, please.                I will now talk about CNSC inspections.                To conduct inspections at nuclear facilities, the CNSC uses approved inspection NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433          WASHINGTON, D.C. 20005-3701          (202) 234-4433
 
29 guides.        These inspection guides detail the specific checks and types of checks that inspectors are going to complete during the inspection to ensure that the program meets CNSC requirements, it meets licensee's program        requirements,        and      that      the  program      is consistent with industry best practices.                      The purpose of the guides are to ensure that CNSC inspectors conduct        the    inspection        in      a    transparent        and consistent manner for all licensees.
Next slide, please.                Specific to cyber security,          prior    to    2021      the        CNSC  performed inspections        for the cyber security programs at all nuclear power plants.            These inspections were carried out by reviewing documents at our head office and by performing onsite verification activities.                      Based on these inspections, the CNSC staff concluded that all nuclear power plant licensees were in compliance with the regulatory requirements in force at that time.
As I mentioned earlier, all nuclear power plant licensees have informed us that they have fully implemented the CSA N290.7-14 standard and will be starting        inspections      to    verify        their  compliance starting this year.
Next slide, please.              In addition to the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433          WASHINGTON, D.C. 20005-3701            (202) 234-4433
 
30 update of the CSA N290.7 standard, and starting our CNSC inspections, we're also working on a number of other cyber security projects.                First, as I mentioned earlier,      the nuclear security regulations are being updated to include specific requirements for cyber security.        We perform periodic updates to design basis threat analysis to reflect changes to the threat environment.
On    the      research          front,    the      CNSC participates in a program called the Federal Nuclear Science        and  Technology        Program      which    conducts research        in nuclear science and technology.                      For cyber security, research is being conducted in areas such as supply chain protection, remote monitoring, and control of reactor systems.
The CNSC also meets with regulators and agencies from other governments to discuss cyber security issues, research, lessons learned, and best practices.      And we have found that these discussions are      particularly      helpful      to      ensure  that      best practices and operating experience is effective and shared.
Next slide, please.              In conclusion, the Canadian Nuclear Power Plants have all implemented NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433          WASHINGTON, D.C. 20005-3701            (202) 234-4433
 
31 cyber security programs.                  The CNSC has conducted inspections          at    each      nuclear        power    plant      and determined that the nuclear power plants met the regulatory requirements that were in place at the time of those inspections.
The regulatory requirements have now been updated to incorporate the CSA standard and 290.7-14, and we have been informed that the licensee programs have been updated to implement this new standard.
Our compliance verification inspections based on the CSA standard will start in the coming months and start this year. In addition, we continue to update our regulatory framework, be involved in research        projects,      and    engage        with  government agencies within Canada and outside of Canada, all with an aim to improve the safety of cyber assets.
Next slide, please.                That concludes my presentation.        If you have any questions, please feel free to submit them through the Q&A feature for the session.        In addition, please feel free to visit the CNSC's        webpage  displayed        on      this    page  for      any additional information.              Thank you very much.
MR. BEARDSLEY:          And now I'll introduce Barry        Kuehnle  from    the    Federal        Energy  Regulatory NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433          WASHINGTON, D.C. 20005-3701            (202) 234-4433
 
32 Commission of the United States.
MR. KUEHNLE:          Thank      you,  Jim.      Good morning.        I am Barry Kuehnle.          I work for the Federal Energy        Regulatory      Commission          in    the  Office        of Electrical        Reliability      in    the      Division    of    Cyber Security, DCS.
Before I get started, I have to give our standard disclaimer to staff.                I do not speak for the Commission, and my opinions are my own.
Just a little bit of background about FERC. I'm going to talk about our jurisdiction. Our jurisdiction, specifically for the bulk power system, is within the Unites States.                And that excludes Alaska and Hawaii.        It's approximately covering 100 kv and above, and we do not regulate nuclear.                          It also includes          about      1,400        entities        across        the jurisdiction, again in the continental United States.
Where we get our authority at FERC, we get our authority through Section 215 of the Federal Power Act. And it gives FERC the authority to certify an electric reliability organization, called the ERO.
NERC,      the      North        American    Electric Reliability Corporation, has been named the ERO and is a non-governmental organization that is chartered NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433            WASHINGTON, D.C. 20005-3701            (202) 234-4433
 
33 to      develop      and    enforce        mandatory    reliability standards subject to Commission review and approval.
It's important to note that the standards that the ERO      is  responsible      for    is    actually    written      by industry.
As I mentioned, I work for the Division of Cyber Security, DCS.              DCS is on a full life cycle of critical infrastructure protection standards from the development to the compliance aspect of those critical infrastructure and protection standards.
We oversee all aspects of cyber security related to the matters that affect the bulk power system.        We monitor, and              we participate in the development and the review of these standards, we oversee        the  compliance        and    enforcement    with      the approval of these standards.                        We observe and we perform audits related to the CIP standards, and we also assess and advise whether new standards should be modified or remanded.                  Currently, there are 12 enforceable standards.
In a little bit more detail, the critical infrastructure protection standards are required and do protect the bulk power system.                      They are very similar to the NIST standards, but they're written in NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433          WASHINGTON, D.C. 20005-3701          (202) 234-4433
 
34 a way that's going to be applied specifically to the bulk electric system.          But if you were to match the two of them up, if you're familiar with the NIST standards, they're very similar.
But we also recognize the fact that cyber security threats are evolving, and they change really quickly, actually more quickly than standards could be developed.        So as a result, we are continually looking at the changes to threats, to technologies, to resources, and how these CIP standards may change based on what's happening in the environment around them.
What needs to be done? As an example, in November of 2019 Chairman Chatterjee at the time introduced five focus areas to ensure that the CIP standards      are    keeping        pace      with the changing environments.        And I'm going to cover those five topics at a high level.              And then we'll leave the rest open for the panel discussion.
So the first one would be supply chain, insider threat, and third-party authorized access.
We looked at that particular topic in the sense that typical cyber security defenses are wrapped around perimeter security.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433        WASHINGTON, D.C. 20005-3701      (202) 234-4433
 
35 We're looking at supply chain, insider threat, and the third-party authorized access which means that maybe a trusted partner, such as a vendor or a member company that you have a connection with, that is trusted, you potentially have the ability to maybe leapfrog those perimeter securities.                  So we're looking at ways to enhance the CIP standards to ensure that those type of threat factors, if you will, are addressed.
And  the    second      one      would  be  industry reactions      to  timely    information          on  threats      and vulnerabilities.          And    that    would      be  information sharing, and not only within the electric sector but within other sectors as well, such as partners with the NRC we share information with and so on, and vice versa.
An example of that would be one of the CIP      standards. CIP-00806        is    required  to    report suspicious activity and events to FERC through the ERO and also to the Department of Homeland Security.
And that information is shared in an anonymous way to ensure that the timely information is disseminated quickly.
The third one would be Cloud and its NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433        WASHINGTON, D.C. 20005-3701            (202) 234-4433
 
36 security service providers.              So we recognize the fact that Cloud is a technology that, if utilized properly, can be done securely and efficiently.                      And it helps with economies of scale by the way it's implemented.
And we're looking at ways that possibly the electric sector can take advantage of those controls in the Cloud.
And the fourth one would be adequacy of security controls.              And what we mean by that is currently the CIP standards, specifically, are rank facilities based on risk.                  And it would be high, medium, low impact ratings where the high and the medium, as you could expect, would probably have more, well, do have more security controls, where the low has minimal security controls, in my opinion.
So we're looking at ways to ensure that those low impact facilities do include also high and medium,        but  specifically        low      have  the  adequate security controls that would be justified for that risk.
And  the    last    one      would  be  internal network monitoring and detection.                      As I mentioned earlier, the CIP standards are very, in my opinion, are very similar to the NIST standards.                          If you NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433          WASHINGTON, D.C. 20005-3701            (202) 234-4433
 
37 overlay them, the controls are very similar.
What we have concern about is internal movement with any trust zone, so just lateral movement if    a    machine  is    compromised.              So  we're    looking potentially        enhancing      or    ways      that    the  internal network        monitoring      and    detection        can  be      done efficiently to ensure that any type of malicious activity is detected.
That's a very quick overview of some of the things we're doing here in DCS.                          Obviously, there's a lot more.            But I'm looking forward to any questions that many have in the panel.                        Thank you very much.
MR. BEARDSLEY:            Thank you, Barry.              At this point, we'll go to the questions that have been submitted so far. We look forward to answering these and      any  other    questions        that        the  audience        is interested in asking us.
So  the      first      question        goes    to      my presentation where I mentioned that the NRC's Office of Inspector General had conducted an audit of our Cyber Security Inspection Program.                      There were two findings as a result of that audit. The question was what were the findings.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433          WASHINGTON, D.C. 20005-3701              (202) 234-4433
 
38 So the answer is there were two findings.
The first one had to do with staff, level of knowledge and also making sure we had enough staff so that we could account for retirements in staff.                    And the NRC staff is working on that process through our internal human resources activities.
The  second        finding        had  to  do    with introducing suitable performance measures into our inspection and oversight program. And as part of our new inspection procedure that we've drafted and we're working on implementing, we are looking at ways to include performance metrics and possibly performance testing and inputs to the staff's evaluation of a licensee's performance.                That's the answer to the first question.
The second question was for Paul.                      And let me read it, and then we'll give Paul a chance to answer. With the UK's new approach, what are some of the      steps    taken    to    ensure        the    consistency        of inspection and regulatory processes?
Also how does the outcome-driven approach ensure        repeatability        and      scrutable        regulatory process?        Paul?
MR. SHANES:        Thanks, Jim.        And that's a NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433          WASHINGTON, D.C. 20005-3701            (202) 234-4433
 
39 really key question actually, and one that's been a part of implementation about conflict regulation, I think firstly from a consistency perspective.                          And our security assessment really provide the backbone of a consistent regulatory methodology that enables consistent        regulatory          judgements.            So        our expectations are articulated within that document.
And underneath those, I think I briefly alluded to we have a number of technical inspection and technical assessment guides.                    And really, they serve to provide the backbone of the consistency from an inspector's perspective.              They articulate the sort of things that the inspector should consider.
So from a consistency perspective, that suite of documentation, which we make fully available to      duty  holders,    really      provide        that level        of consistency.
In terms of repeatable processes, one of the fundamental principles that we have within ONR, in common with all regulators within the UK, is the principle of proportionality.                And one of the things that we do is, whilst we wish to have a repeatable, and certainly one which may be evidence process for the way in which we regulate the industry, it is NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433        WASHINGTON, D.C. 20005-3701            (202) 234-4433
 
40 proportionate.              And      it    is      based    upon      that identification of appropriate protection mechanisms up front.
So we don't necessarily follow the exact same schedule of interventions across all of our duty holders.          We  have    varying      regulatory      attention levels.          And    that    really      guides      the  level      of intervention activity that we undertake.                        However, there is consistency throughout, and that is based on the proportionality aspect that I mentioned there.
So in addition to that, occasionally we will also do thematic inspections whereby we will take a particular topic.                  If we wish to look at governance and leadership, or cyber security, for example, we may, as a thematic area, in consultation with      government,    look    at    doing      that  thematically across        the    sector      and      conducting        consistent intervention activity.
But ordinarily, it is more targeted in our approach in order to achieve that preference for proportionality.          I hope that answers the question.
Thank you.
MR. BEARDSLEY:        Thank you, Paul.
The next question, let me make sure I've NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433          WASHINGTON, D.C. 20005-3701            (202) 234-4433
 
41 got it right here, was actually asked of the NRC, but I think it's a question that all of the licensees, or all of our panel members could speak to.
So let me read the question.                Does the NRC distinguish between cyber security and physical security?          If so, does the NRC view cyber/physical security        approaches      such    as  STPA,      STPA  Security, OCTAVE, or others?
So the NRC, from a regulatory point of view, starts our oversight with our cyber security rule.          The rule then, we develop guidance for the rule which laid out the process for a licensee to develop and implement a cyber security plan.
The cyber security plans included a lot of structure that was related back to the National Institute Standards that Barry mentioned, the NIST standards.          And so the controls that the licensees have        to    implement      on    their,        not  only    in      the manifestation of their program, but also in what they use to secure their digital assets, are laid out in their cyber security plans relatively explicitly.
And then they have industry guidance that they      use    to  develop      internal        procedures    to      go determine which assets have to be protected and the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433            WASHINGTON, D.C. 20005-3701            (202) 234-4433
 
42 level of protection for those assets.                    So there are no other tools or models being used to break down the systems or the other areas that have to be protected, with the exception of the fact that the rule requires them to address cyber security for safety, security, and emergency preparedness systems.
And  then      within        those    systems      they determine which assets have to be protected and then subsequently what protections are appropriate for the assets.
So I hope that answers the question.                  And I'll turn it over to the other panel members if they have any thoughts.
MR. SHANES:        So, Jim, just to complement that      from an  ONR    perspective,          everything    really hinges around a duty holder having a site security plan or an equivalent if they're a transportation provider, for example.          And within that site security plan, would come all the facets of security.                          And we're really looking for an integrated model and one which, you know, covers all aspects of security.
So do we distinguish between cyber and physical?      Yes, we do.          But we very much follow a graded approach and a defense in depth principle NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433        WASHINGTON, D.C. 20005-3701            (202) 234-4433
 
43 whereby actually, you know, we see the intrinsic link between all of the different facets of security.
And we expect our duty holders really to manage        security      holistically            and  to  consider mitigation measures and security arrangements across the board rather than just focus purely on a dedicated cyber        security    plan      that,      for    example,    stood completely alone from other security expectations.
MR. BEARDSLEY:        Thank you, Paul.
MR. KUEHNLE:          This is Barry with FERC.
So from a physical perspective, the CIP standards include both physical and cyber.                    So specifically CIP 14,      one    of  the      standards        within    this    suite, specifically addresses physical security.                      And also, physical security is kind of sprinkled throughout the standards as well, you know, such as protection of the data centers and the control systems, and that type of thing.
MR. SIGETICH:          From a CNSC perspective, I would echo what my colleagues on this panel have said already.            It's really that from a holistic perspective we're looking at both the integration of security        aspect  and    cyber    security,      the  physical security plus cyber security.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433          WASHINGTON, D.C. 20005-3701            (202) 234-4433
 
44 So  really,        we're        looking  to      have licensees have an integrated approach to looking at all of the systems together.              And we don't prescribe the type of models that they're using.                      We have overarching requirements for their -- that they need to come up with methods to have a security plan and a cyber security program.              And they're the ones who propose the different methodologies that they use to meet the requirements.          Thank you.
MR. BEARDSLEY:          Thank you, Justin.            So the next question was for Paul in particular.                    Power plants are subject to a range of cyber regimes, nuclear, electric, reliability, et cetera.
Do you feel the approach in the UK, high level expectations, in parentheses, allows entities to implement an enterprise-wide cyber program versus separate      cyber  programs        designated      to be      very specific regulatory requirements by each regulatory body?
MR. SHANES:          Yes, another really good question and something that has actually been at the heart of the implementation at CyOps again.                    Because one of the requests that we had from our duty holder community during extensive consultation was really to NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433        WASHINGTON, D.C. 20005-3701          (202) 234-4433
 
45 empower them to not have a mandated approach to cyber security, or security more widely, but rather to allow them to offer up evidence of arrangements that could be from other expectations, whether that's regulatory or certification expectations from other bodies, et cetera.
And the duty holders that we regulate are regulated        in    the    round        by      numerous      other organizations        as    well.        But      we  have  the      sole responsibility from a nuclear perspective.                    You know, clearly there are expectations of our duty holders around data protection arrangements.
We      regulate          the      civil      nuclear constabulary, and they have expectations on them as a policing organization.              And likewise our carriers, in terms of road, rail, and air, are often subject to maritime, air, or road regulations in terms of the way in which they operate.
So, you know, I'm a firm believer that actually the outcome-focused approach really does empower        duty  holders      to    put    forward  a  suite        of evidence which may come from satisfying any other regulatory expectation.
And provided that, you know, it justifies NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433          WASHINGTON, D.C. 20005-3701          (202) 234-4433
 
46 the claims that are being made by our duty holders, we are open to receiving that.                  And so we actually strongly encourage that.              And we see it as a huge cost benefit to those that we regulate, that they can re-utilize      evidence      from    other      aspects  of    their business operation.          Thank you.
MR. BEARDSLEY:          Thank you, Paul.          Does anyone else on the panel have any thoughts on that question?      Or we can move onto the next.
MR. SIGETICH:          Looking ahead, a bit of perspective from the CNSC that the CNSC's approach has always been to create higher level objectives as opposed to very specific, prescriptive requirements.
We do have some level of prescriptive requirements, but we do not specify in detail exactly all of the methods that licensees are required to follow.
We  instead        provide        them  with      the overarching requirements, and they have flexibility in the way that they meet those requirements, as long as they can provide us with documented safety analysis to detail exactly why what they're proposing to do, if it doesn't meet our guidance, is acceptable.
So we have valued this approach of some regulatory flexibility, since it allows our licensees NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433        WASHINGTON, D.C. 20005-3701            (202) 234-4433
 
47 to be able to come up with better methods than had been thought.          So anyway, this has been the CNSC approach.
But for us in this particular area, we have found that we have specified that licensees are to have comprehensive cyber security programs, that they are required to come up with one program for their facility.        And that is to ensure that they are having        a  comprehensive        management        system      that encompasses all of the various program systems and including,        like,    a  comprehensive          cyber  security program as well.
So  we're    looking        at    them  to  have      a comprehensive system, as part of our comprehensive system, for them to be able to ensure that they have all of the requirements they need and well documented governance.
MR. BEARDSLEY:          Thank you, Justin.              So let me move on to the next question.                          This is a question for all the panel members.                      Are there any operators        or  regulators        that      are  studying      the potential for blockchain technology as an integrated layer for securing records management?
And I'll take the first crack at this NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433          WASHINGTON, D.C. 20005-3701            (202) 234-4433
 
48 one, and then we can move on.                      The NRC staff has monitored the potential use of blockchain technology in multiple different areas. But we don't mandate to the licensees how they maintain their record systems or how they maintain their supply chain.
We understand that blockchain technology could be used for managing and securing multiple different        elements    of  the    supply      chain. So    we understand the technology, and we're watching it.
But it's really up to our licensees to elect to implement that type of technology or any technology.
And then they would basically, through inspection, we would observe how it is implemented and make sure that it meets the regulatory requirements.
And I'll turn the question over to the rest of the panel.
MR. SIGETICH:        From the CNSC perspective
-- oh, sorry, Paul.
MR. SHANES:      Go ahead, please, Justin.
MR. SIGETICH:        Oh, okay.        From  the CNSC perspective, I would echo what, Jim, you just said, that      I  have  not    heard      of    any      specific  use      of blockchain.
But we would not be prescriptive in the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433          WASHINGTON, D.C. 20005-3701            (202) 234-4433
 
49 methods that licensees use to protect their record systems other than our high level requirements that they need to ensure that their records are protected, and especially with any, what we call prescribed information that's held digitally.                    They would need to ensure that that information is protected from any potential cyber risk.
MR. SHANES:      And quite similarly from the UK's perspective, you know, again it's not something that we would mandate in one way or another.                          The sector as a whole commissions a reasonable amount of research and development on an ongoing basis.
We support quite a bit of that, you know, in order to understand the regulatory aspects, and the sector obviously, to look at potential future uses        of  technology.            But    it's    not  something specifically        that    we    would      necessarily    have      an immediate view on without a duty holder proposing it.
MR. KUEHNLE:          And this is Barry with FERC.        I would echo the same thing.              We do require the protection of documentation in a supply chain.
Obviously, we do not specifically recommend any type of technology that would ensure that those risks are mitigated.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433          WASHINGTON, D.C. 20005-3701          (202) 234-4433
 
50 MR. BEARDSLEY:        Thanks, Barry.        The next question is actually for you.                  So we'll keep you up on the screen here.              Are additional CIP standards directed at CIP low impact site controls coming out?
MR. KUEHNLE:        Obviously, I can't speak to anything that's happening internal to the Commission right now.          However, the Commission has recently released        the    Cyber      Security          Incentive    Program specifically        for  transmission          where  there    is    the opportunity for a transmission owner to enhance their cyber security controls, and many of those would be the low impact, and have financial benefit by doing that.
I know that, within the standard drafting teams, low impact is routinely discussed because of the security controls that are wrapped around those low impact.        But as far as anything specific coming out, I can't speak to anything along those lines.
Thank you.
MR. BEARDSLEY:        Thanks, Barry.        The next question      is  for    all    the    panel      members.        Is    a quantitative        risk      assessment          approach    used        to establish cyber security defenses, and what documents are used to assess cyber security risk?
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433          WASHINGTON, D.C. 20005-3701            (202) 234-4433
 
51 So from a US point of view, each licensee has an approved cyber security plan.                      And within the cyber security plan, they have elements that may have systems they have to analyze.                    They have to decide which digital assets in those systems have to be protected.        And then there's a series of protections that have to be assessed for each digital asset that's included.
Beyond that structure, it's really up to the      licensees    to    determine        the      assessments      and figuring out, well, in the level of protection of those assets have to, you know, have to be put in place for those assets.
The staff has reviewed and accepted for use a number of industry guidance documents that provide        a structure      for    risk    assessing    different levels        of assets    in    different          systems  and    then agreeing with a somewhat lower set of controls that we placed on those assets.
But there is no particular model that's been used to date for assessing the risk of systems or assets and then what systems, what controls would be appropriate for those.
And  with      that,      I'll      turn  the    next NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433          WASHINGTON, D.C. 20005-3701            (202) 234-4433
 
52 question over to Paul.
MR. SHANES:      Yes. So as you might expect, a similar answer, I think in terms of mandates within the CyOps, you know, the closest thing we would kind of go as far as mandating the categorization and classification of assets and associated postulate results from that.
Within our security delivery principles, affected information in cyber risk management is up there.        And, you know, we set out some expectations for our duty holders but didn't go as far as mandating a particular approach.            And so really it is for duty holders to put forward to us how they're going to effectively identify, categorize, and then manage any risks that result.
MR. SIGETICH:          Similar for the Canadian approach, that we do not specify a particular model that they would need to use to be able to assess the risk of their cyber essential assets.                    So they have different methods that they use, but we do not specify any particular method that they use.
MR. KUEHNLE:            And    from  a      FERC perspective, the CIP standards in CIP-002, they have a method to determine your high, medium, and low NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433          WASHINGTON, D.C. 20005-3701        (202) 234-4433
 
53 impact.        And you could wrap risk around those high, medium, and low impact.
MR. BEARDSLEY: Thank you. The very next question is for you again.                So let's see, DHS did, let me just take out the acronym, the U.S. Department of Homeland Security did a cross-walk of the NIST 2.0 and electric sector requirements a year ago.
The questioner says, "I think."                And 2.0 included        supply  chain,      but    how      do the  NIST      and electric requirements address insider threat, trusted partner access, and third party authorizations?                        It's a good question.
MR. KUEHNLE: Excellent. So I'm going to speak specifically to the CIP standards, not the NIST standards.          So  the    CIP    standards,        they    include background checks, they include security awareness training.        They include controls wrapped around the personnel that are in those high trust zones, if you will, from the CIP standards perspective.                        So that addresses        your  insider      threats        and  your  security awareness of just personnel in general.
From a trusted partner perspective, we're looking at technical controls as well.                        There are technical controls right now within the CIP standards NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433          WASHINGTON, D.C. 20005-3701            (202) 234-4433
 
54 that      require,  you know, justification reports and services      and,  you know,        controls      wrapped    around monitoring of those connections that exist within the CIP standards to address those requirements.
But I think we all know, and I think SolarWinds is a really good example, of what just recently happened specifically with supply chain that kind of highlights the need to ensure that we need this type of security controls that are wrapped around supply chain and insiders, because I kind of lumped the two together.
It should be reviewed and ensure that they are robust enough to at least mitigate any type of event like a SolarWinds in the future.                    And I'm not saying we're going to be able to prevent it, but earlier detection is obviously better than later.
Thank you.
MR. BEARDSLEY:          I can actually jump in and just give some perspective from the NRC point of view on supply chain in particular and then the insider threat.
From a supply chain point of view, we do have high level supply chain requirements that the licensees have committed to on their cyber security NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433        WASHINGTON, D.C. 20005-3701          (202) 234-4433
 
55 plans.          There's    not    a    specific        or  prescriptive process for the supply controls or system and services acquisition which is what the section is actually titled.
The U.S. NRC is working within the larger U.S. government with Department of Homeland Security and Department of Energy looking at methods to secure the electrical and subsequently the nuclear supply chain.        That's a large problem.                And I think that most people would recognize that it's going to take a lot of work.
But our licensees do have requirements for their purchasing.            They do have requirements for testing        of  their    systems.          And      they  also    have requirements for defense in depth so that if, for instance, a system or a component did get installed that had some level of malware or something like that in it, that they should be able to identify that as part of their overall system and take mitigative actions.        So that's sort of the high level.
The  other      question          had  to  do    with insiders.        The U.S. NRC does have insider mitigation regulations and requirements for all the licensees.
Those        are  inspected      as    a    separate      part  of    our NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433          WASHINGTON, D.C. 20005-3701            (202) 234-4433
 
56 regulatory oversight, not part of cyber security.
But we do rely on that to manage any potential cyber security insider activity.
That's the U.S. point of view, I don't know if Justin or Paul have any thoughts.
MR. SHANES:        Yes, I'll be happy to kick off.          So  again,    quite      similar        in  terms    of    the expectations.        We do set out high level expectations or      effective      supply      chain      management,      effective contract security, and contract monitoring.
Our  safety      colleagues,          from  a    supply chain perspective, also look at quality assurance expectations which, as you know, are making sure that, you know, assets are appropriately governed throughout the life cycle of the development and into operation.
In terms of insider threat once again, you know, we would again pick that up.                          Again it wouldn't necessarily be specifically within the cyber security team, because that probably is part of our workforce        trust    worthiness        measures,      and    perhaps assessment        of  the      cultural        aspects      within        the organization as well, so a kind of broader aspect of security that we do set high expectations with.
MR. SIGETICH:        I don't have much to add.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433          WASHINGTON, D.C. 20005-3701              (202) 234-4433
 
57 Everyone has really addressed many of the same points that Canada has in its programs.
So for the supply chain, we are certainly very interested in ensuring that we are addressing any issues in the supply chain.                    We have research ongoing in this area to ensure that the supply chain is protected.      And certainly the insider threat is one of the threats that's assessed in any of the analyses that are part of any security plan.
MR. BEARDSLEY:            Thank you.        The next question was actually targeted towards the NRC, so I will answer it.      And then we can move on.
So the question is are we going to see force on force exercise start to look at cyber attacks as part of their exercises?
In the US, we do have a robust force on force testing program at all of our commercial power licensees.      At this time, we have focused on the licensees implementing their programs.                  That's been the primary focus of our inspection and oversight.
We  have      evaluated        the  potential        to include cyber security as part of the force on force program and have elected not to do that at this time.
There's a couple of reasons for that.                One, based on NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433        WASHINGTON, D.C. 20005-3701          (202) 234-4433
 
58 the      successful    implementation            of  the  licensee's programs, we believe there would be limited ability of a cyber attack to impact the physical security programs and thus be an active part of a force on force test.
And the other side of it is, you know, we're looking at overall licensee programs.                              And within        the  cyber    security      program,      licensee's        do conduct their own internal exercises of their cyber security response which we believe adequately covers the same type of information you would gain from a force on force exam.            So we don't know, at this time, that        there    would      be    a    significant        amount        of information we would gain.
The next question is for everyone on the panel, so let me just read it out.                    And I know we're starting to run out of time, but I think we have enough time for this one.
There    seems      to    be    a  pattern    on    the question of retirement or low staff supply to meet demand.        What are the individual regulators doing and planning to do to sort out new talent and address the issue of cyber security professionals?
I'll    take    that      first      from  the      NRC NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433          WASHINGTON, D.C. 20005-3701            (202) 234-4433
 
59 perspective.          We recognize that the level of cyber security knowledge worldwide, if not just in the United States, is extremely competitive.                      The U.S.
government          does    have,      actually,      has  implemented direct-hire authority for a number of agencies to directly hire cyber security professionals without having to go through a competitive process.
We evaluate the use of that, and we look at    how    we  maintain      our    staffing.        We  also    have staffing tools in our human resources programs that look at our overall staffing, what we need for the future.        So we're looking five to ten years in the future, trying to factor in retirements and training for the staff.
At the NRC, we maintain the majority of cyber security expertise at our headquarters.                            And then we consult and assist the inspectors in the field with their cyber security inspections.                      And then by doing that we can centralize our training and the other assets we use to maintain our cyber security knowledge base.
I'll turn the question over to Justin to answer from a Canadian point of view.
MR. SIGETICH:          Yes, from the Canadian NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433          WASHINGTON, D.C. 20005-3701            (202) 234-4433
 
60 perspective,      I  would      say    that      cyber  security      is certainly one of the areas.              But I think I would say that the aging workforce in the nuclear industry is certainly one aspect overall that is a concern.
And just to answer that in general, I'd say that the CNSC has the ability to hire staff directly across the board.            So what we have is plans for succession, some succession plans looking for, like, a five-year and a ten-year plan, looking down the road.
We have talent management programs, we have training programs, and we're coming up with new training programs to ensure that any new hires would be able to take on their roles for the next few years and come in to use some of the new roles that would be open when people are looking at retirement in the next few years.
We're also developing and improving the current coaching and mentoring programs.                    And we're conducting targeted hiring for the areas where we know we'll have some weaknesses.                When we have experts who have been in the industry for decades, when those people start to retire, we know that we need to make sure      that we're    hiring      people        with  significant NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433        WASHINGTON, D.C. 20005-3701            (202) 234-4433
 
61 experience, and background, and trying to find ways of replacing that kind of experience.
But there are certainly challenges, but we're putting in place programs to be able to make sure that we can maintain the knowledge and skill to continue to effectively regulate the industry.
MR. BEARDSLEY:        Paul?
MR. SHANES:        Thanks, Jim.      So I think in line with yourselves, we identify this as a real challenge.        And it's certainly one of the things I picked up in the presentation. Trying to recruit and then retain appropriately qualified and experienced staff is a real challenge.
And it's not something that we, as a regulator, are suffering alone, nor as an industry actually.        There is a huge amount of effort across the UK, led in part by government and in part by the National      Technical      Authority,          our National    Cyber Security Centre, to encourage and promote careers in cyber security.          So I guess on a national footing, that is happening.
And also within the UK is the formation of a new Cyber Security Council, a professional body dedicated to cyber, which is undergoing work at the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433          WASHINGTON, D.C. 20005-3701          (202) 234-4433
 
62 moment and really a lot of effort, I know, that's being placed nationally to encourage people to get into the field.
That    doesn't        necessarily        immediately solve the problem within the nuclear sector.                      We do struggle, like many sectors, to attract and retain the right people.            And we're really using a whole myriad of mechanisms to address that.
We're      working        really      closely      with industry to attempt to ensure that both we, as the regulator,      but  also    duty    holders      have  the    right people.        We're    working      with      government    on    the formation of their next cyber security strategy for the sector.
And certainly training and retention of skills is featuring heavily in those conversations around how that might be taken forward jointly between government, industry, and the regulator.                        Because it's in all of our interests to get the right people.
Slightly      close      to      time,  within      the regulator we have embarked on cyber security graduate programs and joined forces with industry to attract people into the sector without routinely sponsoring the      graduates  at    apprenticeship          placements      that NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433        WASHINGTON, D.C. 20005-3701            (202) 234-4433
 
63 rotate across the sector to bring in the next cadre of future inspectors.
And we blend that with cross-training and joint working internally so that we work closely with colleagues in disciplines that are linked in places to ours, such as emergency preparedness and response, control and instrumentation expertise, for example.
And we work closely to cross-skill where it's appropriate, and to work jointly to really pass our skills and experience on.                  But it is something that is definitely a challenge.                  And I think it will remain a challenge for a while and one, I think, that we're not suffering alone.                So all ideas welcome, please.
MR. BEARDSLEY:        Barry?
MR. KUEHNLE:          Yes, thank you.        So I'm just going to echo what Jim said earlier related to the federal government.                FERC pretty much follows the same model.
But  I'd    like    to    add    from a  utility perspective, I know the utilities really struggle with      being able to find qualified staff in a cyber security perspective that not only understand cyber security but also understands the control systems, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433        WASHINGTON, D.C. 20005-3701          (202) 234-4433
 
64 which is a unique environment to begin with, and how that cyber security relates to the need for real time communications within that industrial control system environment.
So from a utility perspective, some of the things that we're hearing from the utilities is what they do is they train within, they go to recruit at colleges.        They do as much as they can to try to grow people from the ground up to get into that cyber security environment since it is so unique.
They're having a lot of success, from what I'm hearing and what I'm seeing from the audits that we're on as well, that people actually are growing within the organization that may have a desire to learn it, are kind of filling those roles in addition to, you know, your standard pathways of going through        colleges    and    recruiting,      and community colleges as well, and so on.                Thank you.
MR. BEARDSLEY:        Thank you, Barry.      Well, that brings us to pretty much the end of our session.
I don't know that we're going to have time to answer any more questions.
At this point, I'd like to thank all of the panelists.        I think we covered a lot of ground NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433          WASHINGTON, D.C. 20005-3701        (202) 234-4433
 
65 today, a lot of different perspectives.                      Although what you might find is, although we are coming from different      perspectives        and    regulating      different levels of industries, I think the approaches we're taking are relatively similar.                  And we're all very, very interested in making sure that our respective licensees      have    the    appropriate          cyber  security controls in place.
Again, thank you to the panelists.                    I'd like to thank the RIC support staff.                  The background of running this RIC digitally has been a challenge, but I think they did a great job.
And  I'd      also      like      to  thank    Yuris Guantrans (phonetic) and Dan Warner of my staff who helped us organize the questions, reached out to the panelists about 1,000 times to make sure everyone understood what we were doing to get logged in and get ready for the RIC.
Thank you very much.            And I hope you enjoy the rest of the program.
(Whereupon, the above-entitled matter went off the record at 11:59 a.m.)
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433        WASHINGTON, D.C. 20005-3701            (202) 234-4433}}

Revision as of 00:47, 9 September 2021

Transcript for T9
ML21225A703
Person / Time
Issue date: 03/09/2021
From:
NRC/OCM
To:
References
NRC-1420
Download: ML21225A703 (66)


Text

Official Transcript of Proceedings NUCLEAR REGULATORY COMMISSION

Title:

33rd Regulatory Information Conference Technical Session - T9 Docket Number: (n/a)

Location: teleconference Date: Tuesday, March 9, 2021 Work Order No.: NRC-1420 Pages 1-61 NEAL R. GROSS AND CO., INC.

Court Reporters and Transcribers 1323 Rhode Island Avenue, N.W.

Washington, D.C. 20005 (202) 234-4433

1 UNITED STATES OF AMERICA NUCLEAR REGULATORY COMMISSION

+ + + + +

33RD REGULATORY INFORMATION CONFERENCE (RIC)

+ + + + +

TECHNICAL SESSION - T9 POWER REACTOR CYBER SECURITY:

THE PRESENT AND THE FUTURE

+ + + + +

TUESDAY, MARCH 9, 2021

+ + + + +

The Commission met via Video Teleconference, at 10:45 a.m. EST, Jim Beardsley, Chief, Cyber Security Branch, Division of Physical and Cyber Security Policy, Office of Nuclear Security and Incident Response, presiding.

PRESENT:

JIM BEARDSLEY, Chief, Cyber Security Branch, Division of Physical and Cyber Security Policy, NSIR/NRC PAUL SHANES, Professional Lead for Cyber Security and Superintending Inspector, United Kingdom Office of Nuclear Regulation NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

2 JUSTIN SIGETICH, Director, Systems Engineering Division, Canadian Nuclear Safety Commission BARRY KUEHNLE, Critical Infrastructure Protection Senior Advisor, Office of Electric Reliability, Federal Energy Regulatory Commission DAN WARNER, IT Specialist, Cyber Security Branch, Division of Physical and Cyber Security Policy, NSIR/NRC NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

3 C-O-N-T-E-N-T-S Introduction Jim Beardsley................................4 Regulation of Cyber Security across the United Kingdom's Civil Nuclear Sector Paul Shanes..................................9 CNSC Cyber Security Program at Nuclear Power Plants: The Present and The Future Justin Sigetich.............................20 Barry Kuehnle...............................29 Question and Answer Session.......................35 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

4 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

5 P R O C E E D I N G S 10:45 a.m.

MR. BEARDSLEY: Good morning, ladies and gentlemen. Thank you for joining us for the Cyber Security 2021 RIC Session. Today's discussion is the latest in a series of RIC sessions on NRC's Cyber Security Oversight Program.

My name is Jim Beardsley, and I'm chief of the Cyber Security Branch in the NRC's Office of Nuclear Security and Incident Response. For today's session, I'll be joined by a group of international and interagency colleagues discussing the present and future of our respective cyber security oversight programs. We look forward to your questions as we proceed through the agenda.

The panel members include the following.

Mr. Paul Shanes from the United Kingdom's Office of Nuclear Regulation. Paul is a professional lead for cyber security at ONR.

We had hoped to have Mr. Justin Sigetich from the Canadian Nuclear Safety Commission, but he has not been able to connect at this point. If he does, we'll add Justin to the agenda. Justin is the director of CNSC's Systems Engineering Division.

NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

6 And last but not least, Mr. Barry Kuehnle from the US Federal Energy Regulatory Commission.

Barry is a senior level energy infrastructure and cyber security advisor at FERC.

As we progress through the session, please feel free to enter questions into the session portal. Our team will queue up the questions for the panel following our remarks.

At this point, we'll transition into my presentation. I'll start out today's presentation with an update on the NRC's Cyber Security Oversight Program and then discuss the NRC's plans for the future of cyber security oversight at our power reactor licensees.

I'll go to Slide 1 in my presentation.

If Slide 1 is up, I can't see it so -- okay, this slide shows the timeline for the power reactor cyber security program starting with Commission approval of our cyber security rule in 2009. The rule is 10 CFR 73.54.

Power reactor licensee's cyber security programs were implemented in two phases. The first phase, completed in 2012, was focused on cyber security program structure and securing the most NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

7 significant digital assets within the cyber security's infrastructure, the licensee's infrastructure.

The staff inspected those implementations from 2013 to 2015. Licensees completed the full cyber security implementation, so they went from the initial implementation to their full implementation in 2017. And the staff has been conducting inspections of the fully implemented programs for the past three years.

We've completed 53 inspections to date and are scheduled to complete the remaining five inspections in the first half of 2021. Over the course of the inspections, the staff has found, with reasonable assurance, that the licensees understand and have implemented the requirements of their cyber security programs.

In 2019 the staff conducted a self-assessment of the power reactor cyber security program. The assessment included all aspects of the program to include significant stakeholder input during multiple public meetings and other meetings with industry and internal NRC staff members.

As a result of the assessment and NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

8 feedback from the NRC Office of Inspector General Audit of the Cyber Security Inspection Program, staff developed an action plan to evaluate opportunities for program improvement in the future.

Next slide, please. The cyber action plan focuses on five high level areas as identified on this slide. In 2019 and 2020 the staff has focused our attention primarily on risk informing critical digital asset determination and also on the Cyber Security Inspection Oversight Program following full implementation. The other three elements will be addressed in the near future.

In the area of critical digital asset determination, the staff and industry initially focused on evaluation and protection on digital assets in the areas of emergency preparedness, balance of plant, as well as the evaluation of appropriate protections for safety related and important to safety systems.

During 2020 industry and staff evaluated risk informed guidance modifications for balance of plant, emergency preparedness, and the safety related, important to safety systems. Through a series of public meetings, the staff evaluated and NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

9 agreed to updated industry implementation guidance.

Today, the commercial nuclear fleet is starting to implement these revisions as part of their internal procedures. And the Nuclear Energy Institute, who maintains the guidance, is updating the overall guidance documents. Revisions are due to be submitted to the NRC staff for review and approval later this year.

The second step, oh, excuse me, the NRC staff is also working with industry at looking at updated guidance for physical security digital assets. We've conducted one public meeting and expect to provide feedback to industry on their proposed changes for guidance in that area in the near future.

In the area of inspection, the NRC staff have been developing a revision to the cyber security inspection procedure. The revision focuses on a shift from full implementation inspections which were primarily focused on verifying a wide variety of aspects of a licensee's implementation and, in detail, looking at how they have protected their digital assets.

And we intend to shift to reviewing the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

10 ongoing program execution of the cyber security infrastructure to verify that the programs are, excuse me, to verify that their programs are being implemented in accordance with their cyber security commitments and their cyber security program.

The staff has completed a draft of the new inspection procedure, and that draft was loaded into the Agency's document management system for public viewing yesterday. We will be hosting a public meeting in early April to discuss the draft procedure, and further information on accessing the procedure will be available as part of the public meeting announcement. The staff plans to have the new procedure in place to support cyber inspections, the next stage of cyber inspections which will start in January of 2022.

This completes my remarks, and I'll turn the virtual podium over to Paul Shanes.

MR. SHANES: Thank you, Jim. Let's start by thanking everybody for the opportunity to present today and for welcoming us along to your session.

It's really informative. And it's a great opportunity to collaborate. And I thought I'd start by just talking around the regulation of cyber NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

11 security and how it's actually active within the United Kingdom's Civil Nuclear Sector.

So with that in mind, firstly to introduce myself, my name is Paul Shanes. I'm the professional lead for cyber security within ONR with the UK Statute Regulator across the Civil Nuclear Sector. And I oversee the specialist inspectors who look after cyber security and information assurance across the various duty holders, as we refer to them, within our regulatory terms.

Next slide, please. If we start by just looking at the trajectory we're on in terms of signed security regulation within the UK, what you'll hopefully see there, if it's not too small on the screen, is that we've gone through quite a radical transformation of late, and particularly over the last decade or so.

Starting back in 2007, we were a quite prescriptive regulator. We set out our expectations through something called the Technical Requirements Documents. This provided guidance on appropriate security standards, procedures, and arrangements.

It wasn't intentionally prescriptive, but licensees quite often referred heavily to the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

12 documents and the expectations contained within them.

And this led us, as an industry, down the inevitable path of prescription.

Back in 2012, we attempted to move away from this and started by setting some goals and high level objectives through the national objectives requirements or model standards in the regulatory framework.

Unfortunately, these were quite tactical and directive in tone. And the conditions just simply weren't right to move away from the culture prescription which had become embedded as a result of the initial approach back in 2007.

So in 2010, in 2012 we attempted to move to something rather more radical and really tried to embrace outcome-focused regulation. We did this with a new regulatory framework known as the Security Assessment Principles.

The Security Assessment Principles are high level and principle based. We don't give out model standards or model expectations but rather place great emphasis on strategic issues that may benefit security. We set out high level objectives and we asked duty holders to articulate to us your NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

13 claims arguments and evidence approach, how they intend to meet those objectives.

Below the Security Assessment Principles, we also have a suite of documentation aimed at our inspectors, technical assessment, and technical inspection guides. And those documents really aim to provide inspectors with a consistent framework from which to reach regulatory judgements.

Next slide, please. The topic of cyber security is covered in great detail within the Security Assessment Principles. We have ten fundamental principles within our expectations, and each of them tackles a different facet of security.

Within Fundamental Principle Number 7 there are five security deliverable principle areas that we expect our duty holders to achieve.

Basically, you can't see them on the screen there.

They revolve around effective cyber and information risk management, the exception of information through effective information security, protection of nuclear technology and operation with physical protection of information, and the preparation for and response to cyber security incidents.

And the key shift in our transition to NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

14 the Security Assessment Principles is an emphasis that duty holders must maintain effective cyber security information assurance arrangements that integrate technical and procedural controls. So as we say on the slide there, good cyber security is not simply about good cyber security.

And what do I mean by that? If we look at the next slide, what we often find when we're going out and doing our inspections and intervention activity is that when we identify cyber security vulnerabilities and issues, they don't solely relate to tactical or technical measures. More often than not, they can be drawn back through root cause analysis to more strategic enablers and high level facets of security.

So what you can see on the screen there are the ten fundamental principles that we, as a regulator, expect of duty holder community. On the left hand side, you'll see a series of five principles listed as strategic enablers. And on the right, those that are more distinct in tone, the secure operations.

So on the right, you have physical protection, cyber security, workforce trustworthiness, sometimes referred to as vetting, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

15 policing and guarding, and emergency preparedness and response. These are all disciplined operations where we expect certain things of our duty holders.

But on the left hand side, you will see those higher level and more strategic enabling aspects of security which, as I mentioned earlier, are quite often at the root cause of regulatory challenges that we face.

And what we found in our transition to outcome-focused regulation is, by placing a greater onus on emphasis with our duty holders on ensuring that they have absolute clarity that they are responsible for the leadership, design, and implementation of effective security, that's required a tremendous amount of upscaling and a greater understanding of the risks that they face and the ways in which they need to mitigate against that.

So rather than, historically, ONR as the regulator simply setting out our expectations for security, we're now in a position where we set out high level expectations. And we require the duty holder community to understand and really get to grips with the challenges that they face and then articulate to us how they are going to deliver against those NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

16 expectations in an effective manner.

We'll quite often find, when we do our intervention activity, that those fundamental areas around effective leadership, the culture within an organization, or the competence of the staff undertaking the activities, are the areas where we really get most benefit in terms of regulatory engagement as opposed to that's where we were before, focusing on more technical and tactical matters on the coalface.

Next slide, please. So for me, the Security Assessment Principles really take us back to basics. We have a variety of overarching key security principles that govern everything we do, whether that's cyber security, personnel security, or physical security, terms you'll be familiar with around secure (audio interference) design and appropriate use of threat intelligence information, a graded approach to the way in which we operate, categorizing and classifying information and assets in order to prioritize the protection against them, and an overarching onus upon defense in depth arrangements.

So we'd expect our duty holders within NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

17 cyber security and information assurance arrangements to do exactly the same thing and follow the exact same process they do for other assets of security.

First and foremost, we expect them to categorize their assets. They can do this in one of two ways. And there's a significant amount of guidance available, but there simply isn't the time to go into detail today.

Firstly, they can classify information that they hold in line with the UK's government security classification scale. And that will give it a classification along with any other critical infrastructure in the UK. Alternatively, if we're talking about operational technology, then information is categorized. And it's categorized as either critical, major, significant, or minor, depending upon the impact of failure.

Once you categorize assets, when we want to determine an appropriate outcome, there's a methodology we follow within our Security Assessment Principles that articulates how to do that.

And the outcome will vary depending upon the categorization of the assets. So again, really using a graded approach as to whether we require NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

18 complete confidence in the arrangements to protect and safeguard information, all the assets involved, or whether it's simply a case of identifying that something untoward has happened.

Finally, an appropriate posture will be set. And that posture will again depend on a combination of the categorization of the assets and the required outcome. And that really enables a proportions approach to the way in which we regulate.

Next slide, please. So in a non-prescriptive world, we're often asked how do we identify what good looks like. And it's a really challenging question, particularly when you've been used to a very prescriptive approach in the past.

Well, we turn to something called relevant good practice. And there are different standards of relevant good practice out there from a regulatory perspective.

There are defined standards that exist, so legislation, regulations, orders, and our overarching nuclear industry security regulations which really govern everything we do and give us the legal power to actually carry out our regulatory activity.

NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

19 Those sets of good practice and expectations really hold the highest level of expectation. We even have established standards.

These are typically internationally recognized codes of practices. They can be internal within our organization, so they could be our expectations within our own security and safety assessments principles. But equally, they could be expectations set out by national technical authorities or international standards organizations.

And then finally, where no such standards exist, we look to interpretive standards. And these are standards which are not published or available greatly across the flow but are examples of the performance needed to meet uncertain expectation.

And sometimes the industry will actually come together in working groups and forums to identify what it looks like, where it doesn't exist in a particular standard or arrangement.

Next slide, please. So what have we found in our time as we've transitioned from a more prescriptive to an outcome-focused approach? Well, both positive and challenging aspects, if we're honest.

NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

20 In terms of benefits, we found we've got a far greater interaction now with our colleagues in safety. Our outcome-focused approach is now consistent with that that has already been in place with our very mature safety regulatory approach.

And we found that there's an enhanced senior level of understanding across the sector.

It's much easier to articulate to a Board within a duty holder organization the challenges that are being faced, particularly when you've gone through a process of understanding and articulating the risk that exists.

The transfer of ownership from us as the regulator to our licensees or our duty holders has been something that's been particularly important.

In a world where we set out a very prescriptive approach, we believe we carry a significant amount of risk in doing so.

The move to outcome-focused regulation really puts decision making in the hands of those that it should be invested in, which are the licensees, the operators, who should be best placed to make decisions around the adequacy of the arrangements that they have with oversight from the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

21 process to regulator.

There's been significant amounts of upscaling and professionalization, particularly in terms of within ONR as the regulator. We've placed significant amounts of onus on ensuring that we have the right people in the right place to undertake our regulatory activity.

And it's now at a far greater level of flexibility and adaptiveness. We've been able to focus and target our regulatory activity where we perceive there to be greatest risk rather than historically where we actually just followed multi-trends across the sector and conducted the same work.

It hasn't all been perfect though. We've had a significant amount of challenges along the way.

The span and complexity of the change has been significant. And we have had a culture of prescription, which has been embedded previously, which has been difficult to overcome.

It has been difficult to convey this change and the perceived benefits across the sector in an effective manner. And it has taken a fair bit of resource on engagement in order to do that but one which we feel has been justified.

NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

22 Training and education's been absolutely key. I mentioned that we've upscaled our own staff, particularly around cyber security, in order to carry out effective regulation. But the journey for many of our duty holders has been ongoing and is one that we're having to support them with so that we don't end up with a complete imbalance between the regulated entities and the regulator.

And of course, as all of you will be familiar with on this call, cyber security scales remain in very short supply globally. And so it can be a real challenge to attract and maintain the right people within the organizations to drive this level of change through.

So I think I'll conclude with my remarks there on the final slide. And I'll take questions at the end during the panel session. Thank you very much for your attention. I'm now going to hand over, I believe he's joined, to Justin. Thank you.

MR. SIGETICH: Good morning, everyone.

First I'd like to take the opportunity to thank you, to have the opportunity to speak today at this conference. I think this is an excellent opportunity to be able to share our experience from Canada with NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

23 you.

My name is Justin Sigetich, I'm the director of the Systems Engineering Division at the Canadian Nuclear Safety Commission, the CNSC. And I'll be talking with you this morning about the CNSC's regulation of cyber security at nuclear power plants.

Next slide, please. This slide provides an overview of the subjects I'll cover in this presentation. But instead of reviewing this, I'll jump right into it.

Next slide, please. Here's an overview of the main gate of the Canadian Nuclear Safety Commission for those of you who are not familiar with us. I will not delve into any detail here other than to state that the CNSC is Canada's nuclear regulator.

And we regulate the use of nuclear energy and nuclear materials in Canada.

Next slide, please. The CNSC has a regulatory framework that provides us the legal authority to perform our regulatory work. The CNSC's regulatory framework consists of acts, regulations, licenses, and regulatory documents. Acts and regulations are passed by the Canadian Parliament and create overarching requirements for the CNSC and for NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

24 the nuclear industry.

Licenses and regulatory documents are issued by the CNSC and specify requirements and guidance for the industry and requirements and guidance for specific licensees. Please note that we refer to the organizations that operate licensed facilities as licensees.

Next slide, please. This slide outlines, in general, the relevant sections of the CNSC's regulatory framework that are applicable to cyber security. First, the general nuclear safety and control regulations require these licensees to take reasonable precautions to maintain the security of nuclear facilities and of nuclear substances.

Next, the nuclear security regulations provide requirements that are mostly specific to physical protection but have applicability to cyber security. These regulations are currently in the process of being updated to include specific cyber security requirements.

The CNSC regulatory document, REGDOC-2.5.2, which is entitled the Design of Reactor Facilities, Nuclear Power Plants, includes high level requirements and guidance for cyber security for the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

25 design of nuclear power plants. This document applies to new reactor facilities, and it also provides guidance for existing nuclear power plants.

Finally, licenses and License Condition Handbooks, which we call LCHs, provide the most site-specific requirements and guidance to each licensee.

The general purpose of these LCHs is for each licensed condition in the license to clarify the regulatory requirements by documenting specific compliance criteria and guidance.

The license condition that's applicable for cyber security for nuclear power plants is quite broad. It reads that the licensee shall implement and maintain a security program. And we interpret the phrase security program to include both a physical security program and a cyber security program. And that interpretation is clarified in each of the nuclear power plant's License Commission Handbook.

On the next slide, I'll talk about the history of the CNSC's regulation of cyber security.

So we can go onto the next slide, please.

The CNSC officially began regulating cyber security in 2008. At that time, the CNSC sent a letter to all nuclear power plant licensees stating NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

26 our regulatory position and outlining our requirements and guidance for their cyber security programs.

The CNSC required all licensees to conduct a self-assessment, then develop and implement a comprehensive cyber security program. The expectations were based on international documents that were available at that time. For example, documents from the International Atomic Energy Agency, the IAEA, the Nuclear Energy Institute, and the US Nuclear Regulatory Commission were referenced.

The CNSC inspections of these cyber security programs will be discussed in a future slide.

Next slide, please. In 2012, the CSA Group was asked to develop a standard on cyber security on behalf of the nuclear industry in Canada.

Representatives from the CNSC, from the nuclear power plant licensees, and from other stakeholders participated in developing CSA N290.7-14 which is entitled Cyber Security for Nuclear Power Plants and Small Reactor Facilities. This document was published in 2015.

The cyber security standard covers the cyber security of new and existing nuclear power NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

27 plants and small reactor facilities. This document states that, using the created approach, the requirements can be applied to other nuclear facilities.

For your reference, the use of a created approach means basically that the scope of actions necessary to comply with the requirements are commensurate with the relative risks and particular characteristics of the nuclear facility.

This CSA standard also specifies that cyber security controls are to be selected based on the classification of each cyber-essential asset in the facility after assessing the asset's safety significance and its vulnerability.

Now, that's another buzz word, so a cyber-essential asset is defined as basically an electronic device that has an impact on the functions important to nuclear safety, nuclear security, emergency preparedness, or safeguards functions.

The CNSC incorporated the CSA N290.7-14 standard into its regulatory framework and provided the nuclear power plant licensees with time to implement programs in accordance with this new standard. As of the end of 2020, all nuclear power NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

28 plant licensees had informed the CNSC that their cyber security programs are in accordance with their standard.

Next slide, please. As for our future plans, the CSA Group is in the process of updating N290.7 to incorporate the lessons learned by the CNSC and by the licensees over the past five years. The revision project will also take into consideration new best practices as suggested by recent documents published by the IAEA and other international bodies.

Further, the title of the standard may be changed to reflect an increased scope for the standard. Instead of referring to nuclear power plants and small reactor facilities, the new standard may be titled Cyber Security for Nuclear Power Plants and Nuclear Facilities.

This change in scope could help apply the Canadian cyber security requirements and guidance to nuclear facilities that do not house reactors. The current plan is to publish a new version of the cyber security standard in March of 2022.

Next slide, please. I will now talk about CNSC inspections. To conduct inspections at nuclear facilities, the CNSC uses approved inspection NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

29 guides. These inspection guides detail the specific checks and types of checks that inspectors are going to complete during the inspection to ensure that the program meets CNSC requirements, it meets licensee's program requirements, and that the program is consistent with industry best practices. The purpose of the guides are to ensure that CNSC inspectors conduct the inspection in a transparent and consistent manner for all licensees.

Next slide, please. Specific to cyber security, prior to 2021 the CNSC performed inspections for the cyber security programs at all nuclear power plants. These inspections were carried out by reviewing documents at our head office and by performing onsite verification activities. Based on these inspections, the CNSC staff concluded that all nuclear power plant licensees were in compliance with the regulatory requirements in force at that time.

As I mentioned earlier, all nuclear power plant licensees have informed us that they have fully implemented the CSA N290.7-14 standard and will be starting inspections to verify their compliance starting this year.

Next slide, please. In addition to the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

30 update of the CSA N290.7 standard, and starting our CNSC inspections, we're also working on a number of other cyber security projects. First, as I mentioned earlier, the nuclear security regulations are being updated to include specific requirements for cyber security. We perform periodic updates to design basis threat analysis to reflect changes to the threat environment.

On the research front, the CNSC participates in a program called the Federal Nuclear Science and Technology Program which conducts research in nuclear science and technology. For cyber security, research is being conducted in areas such as supply chain protection, remote monitoring, and control of reactor systems.

The CNSC also meets with regulators and agencies from other governments to discuss cyber security issues, research, lessons learned, and best practices. And we have found that these discussions are particularly helpful to ensure that best practices and operating experience is effective and shared.

Next slide, please. In conclusion, the Canadian Nuclear Power Plants have all implemented NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

31 cyber security programs. The CNSC has conducted inspections at each nuclear power plant and determined that the nuclear power plants met the regulatory requirements that were in place at the time of those inspections.

The regulatory requirements have now been updated to incorporate the CSA standard and 290.7-14, and we have been informed that the licensee programs have been updated to implement this new standard.

Our compliance verification inspections based on the CSA standard will start in the coming months and start this year. In addition, we continue to update our regulatory framework, be involved in research projects, and engage with government agencies within Canada and outside of Canada, all with an aim to improve the safety of cyber assets.

Next slide, please. That concludes my presentation. If you have any questions, please feel free to submit them through the Q&A feature for the session. In addition, please feel free to visit the CNSC's webpage displayed on this page for any additional information. Thank you very much.

MR. BEARDSLEY: And now I'll introduce Barry Kuehnle from the Federal Energy Regulatory NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

32 Commission of the United States.

MR. KUEHNLE: Thank you, Jim. Good morning. I am Barry Kuehnle. I work for the Federal Energy Regulatory Commission in the Office of Electrical Reliability in the Division of Cyber Security, DCS.

Before I get started, I have to give our standard disclaimer to staff. I do not speak for the Commission, and my opinions are my own.

Just a little bit of background about FERC. I'm going to talk about our jurisdiction. Our jurisdiction, specifically for the bulk power system, is within the Unites States. And that excludes Alaska and Hawaii. It's approximately covering 100 kv and above, and we do not regulate nuclear. It also includes about 1,400 entities across the jurisdiction, again in the continental United States.

Where we get our authority at FERC, we get our authority through Section 215 of the Federal Power Act. And it gives FERC the authority to certify an electric reliability organization, called the ERO.

NERC, the North American Electric Reliability Corporation, has been named the ERO and is a non-governmental organization that is chartered NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

33 to develop and enforce mandatory reliability standards subject to Commission review and approval.

It's important to note that the standards that the ERO is responsible for is actually written by industry.

As I mentioned, I work for the Division of Cyber Security, DCS. DCS is on a full life cycle of critical infrastructure protection standards from the development to the compliance aspect of those critical infrastructure and protection standards.

We oversee all aspects of cyber security related to the matters that affect the bulk power system. We monitor, and we participate in the development and the review of these standards, we oversee the compliance and enforcement with the approval of these standards. We observe and we perform audits related to the CIP standards, and we also assess and advise whether new standards should be modified or remanded. Currently, there are 12 enforceable standards.

In a little bit more detail, the critical infrastructure protection standards are required and do protect the bulk power system. They are very similar to the NIST standards, but they're written in NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

34 a way that's going to be applied specifically to the bulk electric system. But if you were to match the two of them up, if you're familiar with the NIST standards, they're very similar.

But we also recognize the fact that cyber security threats are evolving, and they change really quickly, actually more quickly than standards could be developed. So as a result, we are continually looking at the changes to threats, to technologies, to resources, and how these CIP standards may change based on what's happening in the environment around them.

What needs to be done? As an example, in November of 2019 Chairman Chatterjee at the time introduced five focus areas to ensure that the CIP standards are keeping pace with the changing environments. And I'm going to cover those five topics at a high level. And then we'll leave the rest open for the panel discussion.

So the first one would be supply chain, insider threat, and third-party authorized access.

We looked at that particular topic in the sense that typical cyber security defenses are wrapped around perimeter security.

NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

35 We're looking at supply chain, insider threat, and the third-party authorized access which means that maybe a trusted partner, such as a vendor or a member company that you have a connection with, that is trusted, you potentially have the ability to maybe leapfrog those perimeter securities. So we're looking at ways to enhance the CIP standards to ensure that those type of threat factors, if you will, are addressed.

And the second one would be industry reactions to timely information on threats and vulnerabilities. And that would be information sharing, and not only within the electric sector but within other sectors as well, such as partners with the NRC we share information with and so on, and vice versa.

An example of that would be one of the CIP standards. CIP-00806 is required to report suspicious activity and events to FERC through the ERO and also to the Department of Homeland Security.

And that information is shared in an anonymous way to ensure that the timely information is disseminated quickly.

The third one would be Cloud and its NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

36 security service providers. So we recognize the fact that Cloud is a technology that, if utilized properly, can be done securely and efficiently. And it helps with economies of scale by the way it's implemented.

And we're looking at ways that possibly the electric sector can take advantage of those controls in the Cloud.

And the fourth one would be adequacy of security controls. And what we mean by that is currently the CIP standards, specifically, are rank facilities based on risk. And it would be high, medium, low impact ratings where the high and the medium, as you could expect, would probably have more, well, do have more security controls, where the low has minimal security controls, in my opinion.

So we're looking at ways to ensure that those low impact facilities do include also high and medium, but specifically low have the adequate security controls that would be justified for that risk.

And the last one would be internal network monitoring and detection. As I mentioned earlier, the CIP standards are very, in my opinion, are very similar to the NIST standards. If you NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

37 overlay them, the controls are very similar.

What we have concern about is internal movement with any trust zone, so just lateral movement if a machine is compromised. So we're looking potentially enhancing or ways that the internal network monitoring and detection can be done efficiently to ensure that any type of malicious activity is detected.

That's a very quick overview of some of the things we're doing here in DCS. Obviously, there's a lot more. But I'm looking forward to any questions that many have in the panel. Thank you very much.

MR. BEARDSLEY: Thank you, Barry. At this point, we'll go to the questions that have been submitted so far. We look forward to answering these and any other questions that the audience is interested in asking us.

So the first question goes to my presentation where I mentioned that the NRC's Office of Inspector General had conducted an audit of our Cyber Security Inspection Program. There were two findings as a result of that audit. The question was what were the findings.

NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

38 So the answer is there were two findings.

The first one had to do with staff, level of knowledge and also making sure we had enough staff so that we could account for retirements in staff. And the NRC staff is working on that process through our internal human resources activities.

The second finding had to do with introducing suitable performance measures into our inspection and oversight program. And as part of our new inspection procedure that we've drafted and we're working on implementing, we are looking at ways to include performance metrics and possibly performance testing and inputs to the staff's evaluation of a licensee's performance. That's the answer to the first question.

The second question was for Paul. And let me read it, and then we'll give Paul a chance to answer. With the UK's new approach, what are some of the steps taken to ensure the consistency of inspection and regulatory processes?

Also how does the outcome-driven approach ensure repeatability and scrutable regulatory process? Paul?

MR. SHANES: Thanks, Jim. And that's a NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

39 really key question actually, and one that's been a part of implementation about conflict regulation, I think firstly from a consistency perspective. And our security assessment really provide the backbone of a consistent regulatory methodology that enables consistent regulatory judgements. So our expectations are articulated within that document.

And underneath those, I think I briefly alluded to we have a number of technical inspection and technical assessment guides. And really, they serve to provide the backbone of the consistency from an inspector's perspective. They articulate the sort of things that the inspector should consider.

So from a consistency perspective, that suite of documentation, which we make fully available to duty holders, really provide that level of consistency.

In terms of repeatable processes, one of the fundamental principles that we have within ONR, in common with all regulators within the UK, is the principle of proportionality. And one of the things that we do is, whilst we wish to have a repeatable, and certainly one which may be evidence process for the way in which we regulate the industry, it is NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

40 proportionate. And it is based upon that identification of appropriate protection mechanisms up front.

So we don't necessarily follow the exact same schedule of interventions across all of our duty holders. We have varying regulatory attention levels. And that really guides the level of intervention activity that we undertake. However, there is consistency throughout, and that is based on the proportionality aspect that I mentioned there.

So in addition to that, occasionally we will also do thematic inspections whereby we will take a particular topic. If we wish to look at governance and leadership, or cyber security, for example, we may, as a thematic area, in consultation with government, look at doing that thematically across the sector and conducting consistent intervention activity.

But ordinarily, it is more targeted in our approach in order to achieve that preference for proportionality. I hope that answers the question.

Thank you.

MR. BEARDSLEY: Thank you, Paul.

The next question, let me make sure I've NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

41 got it right here, was actually asked of the NRC, but I think it's a question that all of the licensees, or all of our panel members could speak to.

So let me read the question. Does the NRC distinguish between cyber security and physical security? If so, does the NRC view cyber/physical security approaches such as STPA, STPA Security, OCTAVE, or others?

So the NRC, from a regulatory point of view, starts our oversight with our cyber security rule. The rule then, we develop guidance for the rule which laid out the process for a licensee to develop and implement a cyber security plan.

The cyber security plans included a lot of structure that was related back to the National Institute Standards that Barry mentioned, the NIST standards. And so the controls that the licensees have to implement on their, not only in the manifestation of their program, but also in what they use to secure their digital assets, are laid out in their cyber security plans relatively explicitly.

And then they have industry guidance that they use to develop internal procedures to go determine which assets have to be protected and the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

42 level of protection for those assets. So there are no other tools or models being used to break down the systems or the other areas that have to be protected, with the exception of the fact that the rule requires them to address cyber security for safety, security, and emergency preparedness systems.

And then within those systems they determine which assets have to be protected and then subsequently what protections are appropriate for the assets.

So I hope that answers the question. And I'll turn it over to the other panel members if they have any thoughts.

MR. SHANES: So, Jim, just to complement that from an ONR perspective, everything really hinges around a duty holder having a site security plan or an equivalent if they're a transportation provider, for example. And within that site security plan, would come all the facets of security. And we're really looking for an integrated model and one which, you know, covers all aspects of security.

So do we distinguish between cyber and physical? Yes, we do. But we very much follow a graded approach and a defense in depth principle NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

43 whereby actually, you know, we see the intrinsic link between all of the different facets of security.

And we expect our duty holders really to manage security holistically and to consider mitigation measures and security arrangements across the board rather than just focus purely on a dedicated cyber security plan that, for example, stood completely alone from other security expectations.

MR. BEARDSLEY: Thank you, Paul.

MR. KUEHNLE: This is Barry with FERC.

So from a physical perspective, the CIP standards include both physical and cyber. So specifically CIP 14, one of the standards within this suite, specifically addresses physical security. And also, physical security is kind of sprinkled throughout the standards as well, you know, such as protection of the data centers and the control systems, and that type of thing.

MR. SIGETICH: From a CNSC perspective, I would echo what my colleagues on this panel have said already. It's really that from a holistic perspective we're looking at both the integration of security aspect and cyber security, the physical security plus cyber security.

NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

44 So really, we're looking to have licensees have an integrated approach to looking at all of the systems together. And we don't prescribe the type of models that they're using. We have overarching requirements for their -- that they need to come up with methods to have a security plan and a cyber security program. And they're the ones who propose the different methodologies that they use to meet the requirements. Thank you.

MR. BEARDSLEY: Thank you, Justin. So the next question was for Paul in particular. Power plants are subject to a range of cyber regimes, nuclear, electric, reliability, et cetera.

Do you feel the approach in the UK, high level expectations, in parentheses, allows entities to implement an enterprise-wide cyber program versus separate cyber programs designated to be very specific regulatory requirements by each regulatory body?

MR. SHANES: Yes, another really good question and something that has actually been at the heart of the implementation at CyOps again. Because one of the requests that we had from our duty holder community during extensive consultation was really to NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

45 empower them to not have a mandated approach to cyber security, or security more widely, but rather to allow them to offer up evidence of arrangements that could be from other expectations, whether that's regulatory or certification expectations from other bodies, et cetera.

And the duty holders that we regulate are regulated in the round by numerous other organizations as well. But we have the sole responsibility from a nuclear perspective. You know, clearly there are expectations of our duty holders around data protection arrangements.

We regulate the civil nuclear constabulary, and they have expectations on them as a policing organization. And likewise our carriers, in terms of road, rail, and air, are often subject to maritime, air, or road regulations in terms of the way in which they operate.

So, you know, I'm a firm believer that actually the outcome-focused approach really does empower duty holders to put forward a suite of evidence which may come from satisfying any other regulatory expectation.

And provided that, you know, it justifies NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

46 the claims that are being made by our duty holders, we are open to receiving that. And so we actually strongly encourage that. And we see it as a huge cost benefit to those that we regulate, that they can re-utilize evidence from other aspects of their business operation. Thank you.

MR. BEARDSLEY: Thank you, Paul. Does anyone else on the panel have any thoughts on that question? Or we can move onto the next.

MR. SIGETICH: Looking ahead, a bit of perspective from the CNSC that the CNSC's approach has always been to create higher level objectives as opposed to very specific, prescriptive requirements.

We do have some level of prescriptive requirements, but we do not specify in detail exactly all of the methods that licensees are required to follow.

We instead provide them with the overarching requirements, and they have flexibility in the way that they meet those requirements, as long as they can provide us with documented safety analysis to detail exactly why what they're proposing to do, if it doesn't meet our guidance, is acceptable.

So we have valued this approach of some regulatory flexibility, since it allows our licensees NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

47 to be able to come up with better methods than had been thought. So anyway, this has been the CNSC approach.

But for us in this particular area, we have found that we have specified that licensees are to have comprehensive cyber security programs, that they are required to come up with one program for their facility. And that is to ensure that they are having a comprehensive management system that encompasses all of the various program systems and including, like, a comprehensive cyber security program as well.

So we're looking at them to have a comprehensive system, as part of our comprehensive system, for them to be able to ensure that they have all of the requirements they need and well documented governance.

MR. BEARDSLEY: Thank you, Justin. So let me move on to the next question. This is a question for all the panel members. Are there any operators or regulators that are studying the potential for blockchain technology as an integrated layer for securing records management?

And I'll take the first crack at this NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

48 one, and then we can move on. The NRC staff has monitored the potential use of blockchain technology in multiple different areas. But we don't mandate to the licensees how they maintain their record systems or how they maintain their supply chain.

We understand that blockchain technology could be used for managing and securing multiple different elements of the supply chain. So we understand the technology, and we're watching it.

But it's really up to our licensees to elect to implement that type of technology or any technology.

And then they would basically, through inspection, we would observe how it is implemented and make sure that it meets the regulatory requirements.

And I'll turn the question over to the rest of the panel.

MR. SIGETICH: From the CNSC perspective

-- oh, sorry, Paul.

MR. SHANES: Go ahead, please, Justin.

MR. SIGETICH: Oh, okay. From the CNSC perspective, I would echo what, Jim, you just said, that I have not heard of any specific use of blockchain.

But we would not be prescriptive in the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

49 methods that licensees use to protect their record systems other than our high level requirements that they need to ensure that their records are protected, and especially with any, what we call prescribed information that's held digitally. They would need to ensure that that information is protected from any potential cyber risk.

MR. SHANES: And quite similarly from the UK's perspective, you know, again it's not something that we would mandate in one way or another. The sector as a whole commissions a reasonable amount of research and development on an ongoing basis.

We support quite a bit of that, you know, in order to understand the regulatory aspects, and the sector obviously, to look at potential future uses of technology. But it's not something specifically that we would necessarily have an immediate view on without a duty holder proposing it.

MR. KUEHNLE: And this is Barry with FERC. I would echo the same thing. We do require the protection of documentation in a supply chain.

Obviously, we do not specifically recommend any type of technology that would ensure that those risks are mitigated.

NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

50 MR. BEARDSLEY: Thanks, Barry. The next question is actually for you. So we'll keep you up on the screen here. Are additional CIP standards directed at CIP low impact site controls coming out?

MR. KUEHNLE: Obviously, I can't speak to anything that's happening internal to the Commission right now. However, the Commission has recently released the Cyber Security Incentive Program specifically for transmission where there is the opportunity for a transmission owner to enhance their cyber security controls, and many of those would be the low impact, and have financial benefit by doing that.

I know that, within the standard drafting teams, low impact is routinely discussed because of the security controls that are wrapped around those low impact. But as far as anything specific coming out, I can't speak to anything along those lines.

Thank you.

MR. BEARDSLEY: Thanks, Barry. The next question is for all the panel members. Is a quantitative risk assessment approach used to establish cyber security defenses, and what documents are used to assess cyber security risk?

NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

51 So from a US point of view, each licensee has an approved cyber security plan. And within the cyber security plan, they have elements that may have systems they have to analyze. They have to decide which digital assets in those systems have to be protected. And then there's a series of protections that have to be assessed for each digital asset that's included.

Beyond that structure, it's really up to the licensees to determine the assessments and figuring out, well, in the level of protection of those assets have to, you know, have to be put in place for those assets.

The staff has reviewed and accepted for use a number of industry guidance documents that provide a structure for risk assessing different levels of assets in different systems and then agreeing with a somewhat lower set of controls that we placed on those assets.

But there is no particular model that's been used to date for assessing the risk of systems or assets and then what systems, what controls would be appropriate for those.

And with that, I'll turn the next NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

52 question over to Paul.

MR. SHANES: Yes. So as you might expect, a similar answer, I think in terms of mandates within the CyOps, you know, the closest thing we would kind of go as far as mandating the categorization and classification of assets and associated postulate results from that.

Within our security delivery principles, affected information in cyber risk management is up there. And, you know, we set out some expectations for our duty holders but didn't go as far as mandating a particular approach. And so really it is for duty holders to put forward to us how they're going to effectively identify, categorize, and then manage any risks that result.

MR. SIGETICH: Similar for the Canadian approach, that we do not specify a particular model that they would need to use to be able to assess the risk of their cyber essential assets. So they have different methods that they use, but we do not specify any particular method that they use.

MR. KUEHNLE: And from a FERC perspective, the CIP standards in CIP-002, they have a method to determine your high, medium, and low NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

53 impact. And you could wrap risk around those high, medium, and low impact.

MR. BEARDSLEY: Thank you. The very next question is for you again. So let's see, DHS did, let me just take out the acronym, the U.S. Department of Homeland Security did a cross-walk of the NIST 2.0 and electric sector requirements a year ago.

The questioner says, "I think." And 2.0 included supply chain, but how do the NIST and electric requirements address insider threat, trusted partner access, and third party authorizations? It's a good question.

MR. KUEHNLE: Excellent. So I'm going to speak specifically to the CIP standards, not the NIST standards. So the CIP standards, they include background checks, they include security awareness training. They include controls wrapped around the personnel that are in those high trust zones, if you will, from the CIP standards perspective. So that addresses your insider threats and your security awareness of just personnel in general.

From a trusted partner perspective, we're looking at technical controls as well. There are technical controls right now within the CIP standards NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

54 that require, you know, justification reports and services and, you know, controls wrapped around monitoring of those connections that exist within the CIP standards to address those requirements.

But I think we all know, and I think SolarWinds is a really good example, of what just recently happened specifically with supply chain that kind of highlights the need to ensure that we need this type of security controls that are wrapped around supply chain and insiders, because I kind of lumped the two together.

It should be reviewed and ensure that they are robust enough to at least mitigate any type of event like a SolarWinds in the future. And I'm not saying we're going to be able to prevent it, but earlier detection is obviously better than later.

Thank you.

MR. BEARDSLEY: I can actually jump in and just give some perspective from the NRC point of view on supply chain in particular and then the insider threat.

From a supply chain point of view, we do have high level supply chain requirements that the licensees have committed to on their cyber security NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

55 plans. There's not a specific or prescriptive process for the supply controls or system and services acquisition which is what the section is actually titled.

The U.S. NRC is working within the larger U.S. government with Department of Homeland Security and Department of Energy looking at methods to secure the electrical and subsequently the nuclear supply chain. That's a large problem. And I think that most people would recognize that it's going to take a lot of work.

But our licensees do have requirements for their purchasing. They do have requirements for testing of their systems. And they also have requirements for defense in depth so that if, for instance, a system or a component did get installed that had some level of malware or something like that in it, that they should be able to identify that as part of their overall system and take mitigative actions. So that's sort of the high level.

The other question had to do with insiders. The U.S. NRC does have insider mitigation regulations and requirements for all the licensees.

Those are inspected as a separate part of our NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

56 regulatory oversight, not part of cyber security.

But we do rely on that to manage any potential cyber security insider activity.

That's the U.S. point of view, I don't know if Justin or Paul have any thoughts.

MR. SHANES: Yes, I'll be happy to kick off. So again, quite similar in terms of the expectations. We do set out high level expectations or effective supply chain management, effective contract security, and contract monitoring.

Our safety colleagues, from a supply chain perspective, also look at quality assurance expectations which, as you know, are making sure that, you know, assets are appropriately governed throughout the life cycle of the development and into operation.

In terms of insider threat once again, you know, we would again pick that up. Again it wouldn't necessarily be specifically within the cyber security team, because that probably is part of our workforce trust worthiness measures, and perhaps assessment of the cultural aspects within the organization as well, so a kind of broader aspect of security that we do set high expectations with.

MR. SIGETICH: I don't have much to add.

NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

57 Everyone has really addressed many of the same points that Canada has in its programs.

So for the supply chain, we are certainly very interested in ensuring that we are addressing any issues in the supply chain. We have research ongoing in this area to ensure that the supply chain is protected. And certainly the insider threat is one of the threats that's assessed in any of the analyses that are part of any security plan.

MR. BEARDSLEY: Thank you. The next question was actually targeted towards the NRC, so I will answer it. And then we can move on.

So the question is are we going to see force on force exercise start to look at cyber attacks as part of their exercises?

In the US, we do have a robust force on force testing program at all of our commercial power licensees. At this time, we have focused on the licensees implementing their programs. That's been the primary focus of our inspection and oversight.

We have evaluated the potential to include cyber security as part of the force on force program and have elected not to do that at this time.

There's a couple of reasons for that. One, based on NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

58 the successful implementation of the licensee's programs, we believe there would be limited ability of a cyber attack to impact the physical security programs and thus be an active part of a force on force test.

And the other side of it is, you know, we're looking at overall licensee programs. And within the cyber security program, licensee's do conduct their own internal exercises of their cyber security response which we believe adequately covers the same type of information you would gain from a force on force exam. So we don't know, at this time, that there would be a significant amount of information we would gain.

The next question is for everyone on the panel, so let me just read it out. And I know we're starting to run out of time, but I think we have enough time for this one.

There seems to be a pattern on the question of retirement or low staff supply to meet demand. What are the individual regulators doing and planning to do to sort out new talent and address the issue of cyber security professionals?

I'll take that first from the NRC NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

59 perspective. We recognize that the level of cyber security knowledge worldwide, if not just in the United States, is extremely competitive. The U.S.

government does have, actually, has implemented direct-hire authority for a number of agencies to directly hire cyber security professionals without having to go through a competitive process.

We evaluate the use of that, and we look at how we maintain our staffing. We also have staffing tools in our human resources programs that look at our overall staffing, what we need for the future. So we're looking five to ten years in the future, trying to factor in retirements and training for the staff.

At the NRC, we maintain the majority of cyber security expertise at our headquarters. And then we consult and assist the inspectors in the field with their cyber security inspections. And then by doing that we can centralize our training and the other assets we use to maintain our cyber security knowledge base.

I'll turn the question over to Justin to answer from a Canadian point of view.

MR. SIGETICH: Yes, from the Canadian NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

60 perspective, I would say that cyber security is certainly one of the areas. But I think I would say that the aging workforce in the nuclear industry is certainly one aspect overall that is a concern.

And just to answer that in general, I'd say that the CNSC has the ability to hire staff directly across the board. So what we have is plans for succession, some succession plans looking for, like, a five-year and a ten-year plan, looking down the road.

We have talent management programs, we have training programs, and we're coming up with new training programs to ensure that any new hires would be able to take on their roles for the next few years and come in to use some of the new roles that would be open when people are looking at retirement in the next few years.

We're also developing and improving the current coaching and mentoring programs. And we're conducting targeted hiring for the areas where we know we'll have some weaknesses. When we have experts who have been in the industry for decades, when those people start to retire, we know that we need to make sure that we're hiring people with significant NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

61 experience, and background, and trying to find ways of replacing that kind of experience.

But there are certainly challenges, but we're putting in place programs to be able to make sure that we can maintain the knowledge and skill to continue to effectively regulate the industry.

MR. BEARDSLEY: Paul?

MR. SHANES: Thanks, Jim. So I think in line with yourselves, we identify this as a real challenge. And it's certainly one of the things I picked up in the presentation. Trying to recruit and then retain appropriately qualified and experienced staff is a real challenge.

And it's not something that we, as a regulator, are suffering alone, nor as an industry actually. There is a huge amount of effort across the UK, led in part by government and in part by the National Technical Authority, our National Cyber Security Centre, to encourage and promote careers in cyber security. So I guess on a national footing, that is happening.

And also within the UK is the formation of a new Cyber Security Council, a professional body dedicated to cyber, which is undergoing work at the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

62 moment and really a lot of effort, I know, that's being placed nationally to encourage people to get into the field.

That doesn't necessarily immediately solve the problem within the nuclear sector. We do struggle, like many sectors, to attract and retain the right people. And we're really using a whole myriad of mechanisms to address that.

We're working really closely with industry to attempt to ensure that both we, as the regulator, but also duty holders have the right people. We're working with government on the formation of their next cyber security strategy for the sector.

And certainly training and retention of skills is featuring heavily in those conversations around how that might be taken forward jointly between government, industry, and the regulator. Because it's in all of our interests to get the right people.

Slightly close to time, within the regulator we have embarked on cyber security graduate programs and joined forces with industry to attract people into the sector without routinely sponsoring the graduates at apprenticeship placements that NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

63 rotate across the sector to bring in the next cadre of future inspectors.

And we blend that with cross-training and joint working internally so that we work closely with colleagues in disciplines that are linked in places to ours, such as emergency preparedness and response, control and instrumentation expertise, for example.

And we work closely to cross-skill where it's appropriate, and to work jointly to really pass our skills and experience on. But it is something that is definitely a challenge. And I think it will remain a challenge for a while and one, I think, that we're not suffering alone. So all ideas welcome, please.

MR. BEARDSLEY: Barry?

MR. KUEHNLE: Yes, thank you. So I'm just going to echo what Jim said earlier related to the federal government. FERC pretty much follows the same model.

But I'd like to add from a utility perspective, I know the utilities really struggle with being able to find qualified staff in a cyber security perspective that not only understand cyber security but also understands the control systems, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

64 which is a unique environment to begin with, and how that cyber security relates to the need for real time communications within that industrial control system environment.

So from a utility perspective, some of the things that we're hearing from the utilities is what they do is they train within, they go to recruit at colleges. They do as much as they can to try to grow people from the ground up to get into that cyber security environment since it is so unique.

They're having a lot of success, from what I'm hearing and what I'm seeing from the audits that we're on as well, that people actually are growing within the organization that may have a desire to learn it, are kind of filling those roles in addition to, you know, your standard pathways of going through colleges and recruiting, and community colleges as well, and so on. Thank you.

MR. BEARDSLEY: Thank you, Barry. Well, that brings us to pretty much the end of our session.

I don't know that we're going to have time to answer any more questions.

At this point, I'd like to thank all of the panelists. I think we covered a lot of ground NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433

65 today, a lot of different perspectives. Although what you might find is, although we are coming from different perspectives and regulating different levels of industries, I think the approaches we're taking are relatively similar. And we're all very, very interested in making sure that our respective licensees have the appropriate cyber security controls in place.

Again, thank you to the panelists. I'd like to thank the RIC support staff. The background of running this RIC digitally has been a challenge, but I think they did a great job.

And I'd also like to thank Yuris Guantrans (phonetic) and Dan Warner of my staff who helped us organize the questions, reached out to the panelists about 1,000 times to make sure everyone understood what we were doing to get logged in and get ready for the RIC.

Thank you very much. And I hope you enjoy the rest of the program.

(Whereupon, the above-entitled matter went off the record at 11:59 a.m.)

NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433