ML22038A946: Difference between revisions
StriderTol (talk | contribs) (StriderTol Bot change) |
StriderTol (talk | contribs) (StriderTol Bot change) |
||
| Line 15: | Line 15: | ||
=Text= | =Text= | ||
{{#Wiki_filter:IAEA Technical Meeting on Instrumentation and Control and Computer Security for Small Modular Reactors and Microreactors February 21-25, 2022 | {{#Wiki_filter:U.S.A. Regulatory Efforts for Cyber Security of Advanced Reactors Juris Jauntirans Cyber Security Specialist U.S. Nuclear Regulatory Commission Ismael Garcia Senior Level Advisor, Cyber Security and Digital Instrumentation and Control U.S. Nuclear Regulatory Commission Michael T. Rowland Sandia National Laboratory IAEA Technical Meeting on Instrumentation and Control and Computer Security for Small Modular Reactors and Microreactors February 21-25, 2022 | ||
Draft Cyber Security Requirements for Advanced Reactors 2 | |||
Background - | |||
Power Reactors Cyber Requirements Found in 10 CFR 73.54 Protect digital assets that perform specified functions Protect from cyber attacks up to an including a DBT 3 | |||
Proposed New Cyber Requirements 4 | |||
10 CFR Part 53 development for Advanced Reactors Preliminary Proposed Rule Language Publicly Available New Cyber Requirements in Proposed Rule | |||
Preliminary Proposed Cyber Requirements 5 | |||
==Reference:== | ==Reference:== | ||
Part 73.110, "Technology Neutral Requirements for Protection of Digital Computer and Communication Systems and Networks, ADAMS Accession Number ML21308A026 | Part 73.110, "Technology Neutral Requirements for Protection of Digital Computer and Communication Systems and Networks, ADAMS Accession Number ML21308A026 | ||
10 CFR 73.110 Draft Regulatory Guide Concepts 6 | |||
Draft Regulatory Guide Development 7 | |||
An acceptable approach for meeting the 10 CFR 73.110 requirements Effective guidance to support a performance-based regulatory framework Leverage IAEA and IEC security approaches | |||
Draft Regulatory Guide - | |||
Three-Tier Analysis Approach 8 | |||
Facility Level Function Level System Level | |||
Important Terminology CEAS: Cyber-Enabled Accident Scenario CEIS: Cyber-Enabled Physical Intrusion Scenario 9 | |||
Develop | Evaluate DB and PPS for protection against CEAS and CEIS START - | ||
Existing Safety and Security Analyses DB elements and PPS features ensure that potential cyber attacks do not result in 10 CFR 73.110(a) consequences Update DB and/or PPS CEAS or CEIS result in 10 CFR 73.110(a) consequences? | |||
Security By Design Feasible? | |||
Yes No Yes No Develop Adversary Functional Scenarios DB - Design Basis PPS-Physical Protection Systems CEIS-Cyber Enabled Intrusion Scenario CEAS-Cyber Enabled Accident Scenario 10 Overview of Draft Regulatory Guide Performance-based/Risk Informed Approach Facility Level Function Level | |||
elements (e.g., | Do unmitigated Adversary Functional Scenarios remain? | ||
Passive Defense Feasible? | |||
Specify CSP and DCSA elements (e.g., | |||
prohibitions, passive/deterministic devices) to eliminate or mitigate attacks No Yes No Yes Document CSP and DCSA elements required to prevent credible cyber attack scenarios CSP-Cyber Security Plan DCSA-Defensive Computer Security Architecture 11 Optional Overview of Draft Regulatory Guide Performance-based/Risk Informed Approach (Cont.) | |||
Function Level | |||
Document CSP and DCSA | Identify Critical Functions and Systems Document CSP and DCSA elements, including cyber security controls, needed to protect against cyber attacks Develop or Update Adversary Technical Sequences Specify active CSP and DCSA elements (e.g., detection and response systems) and System Cyber Security Controls Unmitigated Sequences? | ||
Yes No CSP-Cyber Security Plan DCSA-Defensive Computer Security Architecture 12 Overview of Draft Regulatory Guide Performance-based/Risk Informed Approach (Cont.) | |||
System Level | |||
Future Work Continue work on Proposed Cyber Requirements and draft Regulatory Guide Inclusion in Part 53 rulemaking package 13 | |||
14}} | |||
Latest revision as of 18:38, 27 November 2024
| ML22038A946 | |
| Person / Time | |
|---|---|
| Issue date: | 02/03/2022 |
| From: | Ismael Garcia NRC/NSIR/DPCP |
| To: | |
| Garcia I | |
| References | |
| Download: ML22038A946 (15) | |
Text
U.S.A. Regulatory Efforts for Cyber Security of Advanced Reactors Juris Jauntirans Cyber Security Specialist U.S. Nuclear Regulatory Commission Ismael Garcia Senior Level Advisor, Cyber Security and Digital Instrumentation and Control U.S. Nuclear Regulatory Commission Michael T. Rowland Sandia National Laboratory IAEA Technical Meeting on Instrumentation and Control and Computer Security for Small Modular Reactors and Microreactors February 21-25, 2022
Draft Cyber Security Requirements for Advanced Reactors 2
Background -
Power Reactors Cyber Requirements Found in 10 CFR 73.54 Protect digital assets that perform specified functions Protect from cyber attacks up to an including a DBT 3
Proposed New Cyber Requirements 4
10 CFR Part 53 development for Advanced Reactors Preliminary Proposed Rule Language Publicly Available New Cyber Requirements in Proposed Rule
Preliminary Proposed Cyber Requirements 5
Reference:
Part 73.110, "Technology Neutral Requirements for Protection of Digital Computer and Communication Systems and Networks, ADAMS Accession Number ML21308A026
10 CFR 73.110 Draft Regulatory Guide Concepts 6
Draft Regulatory Guide Development 7
An acceptable approach for meeting the 10 CFR 73.110 requirements Effective guidance to support a performance-based regulatory framework Leverage IAEA and IEC security approaches
Draft Regulatory Guide -
Three-Tier Analysis Approach 8
Facility Level Function Level System Level
Important Terminology CEAS: Cyber-Enabled Accident Scenario CEIS: Cyber-Enabled Physical Intrusion Scenario 9
Evaluate DB and PPS for protection against CEAS and CEIS START -
Existing Safety and Security Analyses DB elements and PPS features ensure that potential cyber attacks do not result in 10 CFR 73.110(a) consequences Update DB and/or PPS CEAS or CEIS result in 10 CFR 73.110(a) consequences?
Security By Design Feasible?
Yes No Yes No Develop Adversary Functional Scenarios DB - Design Basis PPS-Physical Protection Systems CEIS-Cyber Enabled Intrusion Scenario CEAS-Cyber Enabled Accident Scenario 10 Overview of Draft Regulatory Guide Performance-based/Risk Informed Approach Facility Level Function Level
Do unmitigated Adversary Functional Scenarios remain?
Passive Defense Feasible?
Specify CSP and DCSA elements (e.g.,
prohibitions, passive/deterministic devices) to eliminate or mitigate attacks No Yes No Yes Document CSP and DCSA elements required to prevent credible cyber attack scenarios CSP-Cyber Security Plan DCSA-Defensive Computer Security Architecture 11 Optional Overview of Draft Regulatory Guide Performance-based/Risk Informed Approach (Cont.)
Function Level
Identify Critical Functions and Systems Document CSP and DCSA elements, including cyber security controls, needed to protect against cyber attacks Develop or Update Adversary Technical Sequences Specify active CSP and DCSA elements (e.g., detection and response systems) and System Cyber Security Controls Unmitigated Sequences?
Yes No CSP-Cyber Security Plan DCSA-Defensive Computer Security Architecture 12 Overview of Draft Regulatory Guide Performance-based/Risk Informed Approach (Cont.)
System Level
Future Work Continue work on Proposed Cyber Requirements and draft Regulatory Guide Inclusion in Part 53 rulemaking package 13
14