Information Notice 2019-04, Effective Cyber Security Practices to Protect Digital Assets of Byproduct Materials Licensees: Difference between revisions
StriderTol (talk | contribs) (Created page by program invented by StriderTol) |
StriderTol (talk | contribs) (StriderTol Bot change) |
||
| Line 14: | Line 14: | ||
| page count = 9 | | page count = 9 | ||
}} | }} | ||
{{#Wiki_filter:UNITED STATES | {{#Wiki_filter:ML18044A350 | ||
UNITED STATES | |||
NUCLEAR REGULATORY COMMISSION | NUCLEAR REGULATORY COMMISSION | ||
| Line 22: | Line 23: | ||
OFFICE OF NUCLEAR REACTOR REGULATION | OFFICE OF NUCLEAR REACTOR REGULATION | ||
WASHINGTON, DC 20555-001 August 14, 2019 NRC INFORMATION NOTICE 2019-04: | WASHINGTON, DC 20555-001 | ||
August 14, 2019 | |||
NRC INFORMATION NOTICE 2019-04: | |||
EFFECTIVE CYBER SECURITY PRACTICES | |||
TO PROTECT DIGITAL ASSETS OF | TO PROTECT DIGITAL ASSETS OF | ||
| Line 31: | Line 37: | ||
All U.S. Nuclear Regulatory Commission (NRC) byproduct materials licensees that possess | All U.S. Nuclear Regulatory Commission (NRC) byproduct materials licensees that possess | ||
risk-significant quantities of radioactive material and NRC master materials licensees. All | risk-significant quantities of radioactive material and NRC master materials licensees. All | ||
Agreement State Radiation Control Program Directors and State Liaison Officers. | Agreement State Radiation Control Program Directors and State Liaison Officers. | ||
| Line 46: | Line 52: | ||
The information in this IN is not an NRC requirement; therefore, the NRC requires no specific | The information in this IN is not an NRC requirement; therefore, the NRC requires no specific | ||
action or written response. The NRC is providing this IN to the Agreement States for their | action or written response. The NRC is providing this IN to the Agreement States for their | ||
information and for distribution to their applicable licensees, as appropriate. | information and for distribution to their applicable licensees, as appropriate. | ||
| Line 55: | Line 61: | ||
materials licensees as part of its overall strategy to ensure that both reactor and nonreactor | materials licensees as part of its overall strategy to ensure that both reactor and nonreactor | ||
licensees are providing adequate protection against cyber security threats. In 2014, the | licensees are providing adequate protection against cyber security threats. In 2014, the | ||
Radiation Source Protection and Security Task Force, chaired by the NRC, recommended the | Radiation Source Protection and Security Task Force, chaired by the NRC, recommended the | ||
| Line 63: | Line 69: | ||
and mitigating cybersecurity vulnerabilities related to Category 1 and Category 2 radioactive | and mitigating cybersecurity vulnerabilities related to Category 1 and Category 2 radioactive | ||
sources. The 2018 Radiation Source Protection and Security Task Force Report (ADAMS | sources. The 2018 Radiation Source Protection and Security Task Force Report (ADAMS | ||
Accession No. ML18235A370 (package)) reported on the NRCs assessment. | Accession No. ML18235A370 (package)) reported on the NRCs assessment. | ||
| Line 72: | Line 78: | ||
assets in the following four usage categories: digital devices that support the physical security of | assets in the following four usage categories: digital devices that support the physical security of | ||
licensees facilities; equipment with software-based control, operation, and automation features; | licensees facilities; equipment with software-based control, operation, and automation features; | ||
computers used to maintain source inventories, audit data, and records necessary for | computers used to maintain source inventories, audit data, and records necessary for | ||
| Line 81: | Line 87: | ||
The NRC staff concluded that the categories of licensees evaluated in this assessment do not | The NRC staff concluded that the categories of licensees evaluated in this assessment do not | ||
solely rely on digital systems to ensure safety or security. Generally, licensees apply a | solely rely on digital systems to ensure safety or security. Generally, licensees apply a defense-in-depth approach to safety and security by using measures that include nondigital | ||
features such as doors, locks, barriers, human resources, and operational processes in addition | features such as doors, locks, barriers, human resources, and operational processes in addition | ||
to any digital assets. In addition, computers used to maintain source inventories, audit data, and records necessary for compliance with security requirements often use encryption, password protection, and other methods of limiting access to digital records to those who have | to any digital assets. In addition, computers used to maintain source inventories, audit data, and records necessary for compliance with security requirements often use encryption, password protection, and other methods of limiting access to digital records to those who have | ||
a need to know. As a result, the NRC staff determined that a compromise of the digital assets | a need to know. As a result, the NRC staff determined that a compromise of the digital assets | ||
used in these applications would not cause a direct dispersal of risk-significant quantities of | used in these applications would not cause a direct dispersal of risk-significant quantities of | ||
| Line 107: | Line 111: | ||
awareness of mechanisms and practices that can provide protection against cyber security | awareness of mechanisms and practices that can provide protection against cyber security | ||
threats may be valuable to licensee operations and procedures. As a result, the enclosure to | threats may be valuable to licensee operations and procedures. As a result, the enclosure to | ||
this IN contains effective practices for licensee awareness. The NRC staff also determined that | this IN contains effective practices for licensee awareness. The NRC staff also determined that | ||
providing a means to share relevant information resources with licensees would be prudent | providing a means to share relevant information resources with licensees would be prudent | ||
because the cyber security threat landscape is constantly evolving. The Conclusion section of | because the cyber security threat landscape is constantly evolving. The Conclusion section of | ||
this IN provides information on how to access these resources. | this IN provides information on how to access these resources. | ||
| Line 123: | Line 127: | ||
adequate protection of public health and safety when considering the potential consequences of | adequate protection of public health and safety when considering the potential consequences of | ||
a wide array of attack modes, including cyber. The enclosure to this IN provides additional | a wide array of attack modes, including cyber. The enclosure to this IN provides additional | ||
effective practices related to cyber security issues licensees may use as applicable. | effective practices related to cyber security issues licensees may use as applicable. | ||
| Line 131: | Line 135: | ||
practices in guidance developed by the Office of Nuclear Reactor Regulation for nonpower | practices in guidance developed by the Office of Nuclear Reactor Regulation for nonpower | ||
reactors, Cyber Security: Effective Practices for the Establishment and Maintenance of | reactors, Cyber Security: Effective Practices for the Establishment and Maintenance of | ||
Adequate Cyber Security at Non-Power (Research and Test) Reactor Facilities, dated | Adequate Cyber Security at Non-Power (Research and Test) Reactor Facilities, dated | ||
| Line 139: | Line 143: | ||
In addition, the U.S. Food and Drug Administration (FDA) regulates the manufacturers of | In addition, the U.S. Food and Drug Administration (FDA) regulates the manufacturers of | ||
medical devices. Additional information on the FDAs activities, role, and expectations for | medical devices. Additional information on the FDAs activities, role, and expectations for | ||
continued cyber security of medical devices can be found at | continued cyber security of medical devices can be found at | ||
| Line 149: | Line 153: | ||
documents that provides U.S. Federal Government computer security policies, procedures, and | documents that provides U.S. Federal Government computer security policies, procedures, and | ||
guidelines. These publications, available at https://csrc.nist.gov/publications/sp800, may be | guidelines. These publications, available at https://csrc.nist.gov/publications/sp800, may be | ||
useful to licensees by providing guidelines for workable and cost-effective methods for | useful to licensees by providing guidelines for workable and cost-effective methods for | ||
| Line 155: | Line 159: | ||
optimizing the security of information technology (IT) systems and networks in a proactive | optimizing the security of information technology (IT) systems and networks in a proactive | ||
manner. The publications cover all procedures and criteria recommended by the National | manner. The publications cover all procedures and criteria recommended by the National | ||
1 Risk-significant quantities of radioactive material are defined as those that meet the thresholds for Category 1 and | 1 Risk-significant quantities of radioactive material are defined as those that meet the thresholds for Category 1 and | ||
| Line 168: | Line 172: | ||
==CONTACT== | ==CONTACT== | ||
This IN requires no specific action or written response. Please direct any questions about this | This IN requires no specific action or written response. Please direct any questions about this | ||
matter to the technical contacts listed below. | matter to the technical contacts listed below. | ||
/RA/ | /RA/ | ||
/RA/ | |||
Christopher G. Miller, Director | |||
Office of Nuclear Reactor Regulation | Andrea L. Kock, Director | ||
Division of Inspection | |||
Division of Materials Safety, Security, State, and Regional Support | |||
and Tribal Programs | |||
Office of Nuclear Reactor Regulation | |||
Office of Nuclear Material Safety | |||
and Safeguards | and Safeguards | ||
Technical Contacts: Kim Lukes, NMSS | Technical Contacts: Kim Lukes, NMSS | ||
Paul Goldberg, NMSS | |||
(301) 415-6701 | |||
(301) 415-7842 E-mail: Kim.Lukes@nrc.gov | |||
E-mail: Paul.Goldberg@nrc.gov | |||
Note: NRC generic communications may be found on the NRC public Web site, http://www.nrc.gov, under NRC Library/Document Collections. NRC INFORMATION NOTICE 2019-04: EFFECTIVE CYBER SECURITY PRACTICES TO | Note: NRC generic communications may be found on the NRC public Web site, http://www.nrc.gov, under NRC Library/Document Collections. NRC INFORMATION NOTICE 2019-04: EFFECTIVE CYBER SECURITY PRACTICES TO | ||
PROTECT DIGITAL ASSETS OF BYPRODUCT MATERIALS LICENSEES | PROTECT DIGITAL ASSETS OF BYPRODUCT MATERIALS LICENSEES | ||
ADAMS Accession No.: ML18044A350 | ADAMS Accession No.: ML18044A350 | ||
CAC/EPID: A11017/L-2019-GEN-0000 | |||
* - via email | |||
OFFICE | |||
NMSS/SMPB/TR | |||
NMSS/SMPB/TR | |||
QTE | |||
NMSS/SMPB/BC | |||
NMSS/ASPB/BC | |||
NAME | |||
PGoldberg | |||
KLukes | |||
JDougherty* | |||
ZCruzPerez* | |||
PMichalak* | |||
DATE | |||
03/19/19 | |||
03/19/19 | |||
03/28/19 | |||
05/22/19 | |||
05/29/19 OFFICE | |||
NRR/DIRS/IRGB/PM | |||
NRR/DIRS/IRGB/OLA | |||
NRR/DIRS/IRGB/ BC | |||
NMSS/MSST/D | |||
NRR/DIRS/D | |||
DATE | NAME | ||
TGovan* | |||
IBetts* | |||
TInverso* | |||
AKock | |||
CMiller | |||
DATE | |||
06/03/19 | |||
06/06/19 | |||
06/11/19 | |||
08/13/19 | |||
08/14/19 Official Record Copy | |||
Enclosure | |||
EFFECTIVE CYBER SECURITY PRACTICES TO PROTECT DIGITAL ASSETS OF | EFFECTIVE CYBER SECURITY PRACTICES TO PROTECT DIGITAL ASSETS OF | ||
| Line 204: | Line 277: | ||
BYPRODUCT MATERIALS LICENSEES | BYPRODUCT MATERIALS LICENSEES | ||
EFFECTIVE PRACTICES | |||
Personnel | Personnel | ||
Define Roles and Responsibilities | |||
Effective practices include instituting role-based access controls to network resources based on | Effective practices include instituting role-based access controls to network resources based on | ||
personnel job functions. Limiting permissions through access controls can reduce the risk of | personnel job functions. Limiting permissions through access controls can reduce the risk of | ||
compromise to systems and facilitate better tracking of network intrusions and suspicious | compromise to systems and facilitate better tracking of network intrusions and suspicious | ||
activities. In addition, restricting the number of personnel granted administrative (i.e., super | activities. In addition, restricting the number of personnel granted administrative (i.e., super | ||
user or root) rights or accounts on each digital asset and ensuring that all such personnel | user or root) rights or accounts on each digital asset and ensuring that all such personnel | ||
| Line 222: | Line 297: | ||
an effective practice. | an effective practice. | ||
Implement Staff Cyber Security Training | |||
One of the best means of preventing cyberattacks is to educate personnel who perform | One of the best means of preventing cyberattacks is to educate personnel who perform | ||
administrative functions or use digital assets about the mechanisms by which cyberattacks may | administrative functions or use digital assets about the mechanisms by which cyberattacks may | ||
be carried out and strategies to protect them. Effective initial and periodic cyber security | be carried out and strategies to protect them. Effective initial and periodic cyber security | ||
training may include information on social engineering methods that malicious actors might use | training may include information on social engineering methods that malicious actors might use | ||
| Line 235: | Line 311: | ||
through phishing, phone calls, or other types of personal interactions; smart browsing practices | through phishing, phone calls, or other types of personal interactions; smart browsing practices | ||
such as awareness of malware, updating systems, and installing patches; password policies; | such as awareness of malware, updating systems, and installing patches; password policies; | ||
use of portable electronic media and devices; use of wireless communications; appropriate | use of portable electronic media and devices; use of wireless communications; appropriate | ||
| Line 242: | Line 318: | ||
and procedures related to the employees job activities. | and procedures related to the employees job activities. | ||
Physical Protection | |||
Physical Security | Physical Security | ||
Part of the effort to protect digital assets against cyberattacks involves ensuring that physical | Part of the effort to protect digital assets against cyberattacks involves ensuring that physical | ||
security is in place. Devices containing risk-significant radioactive materials that have digital | security is in place. Devices containing risk-significant radioactive materials that have digital | ||
components to their operations, such as panoramic irradiators and stereotactic radiosurgery | components to their operations, such as panoramic irradiators and stereotactic radiosurgery | ||
| Line 253: | Line 330: | ||
devices, are typically located within security zones that are already subject to Title 10 of the | devices, are typically located within security zones that are already subject to Title 10 of the | ||
Code of Federal Regulations (CFR) Part 37, Physical Protection of Category 1 and Category 2 Quantities of Radioactive Material. Effective practices include physical security measures such | Code of Federal Regulations (CFR) Part 37, Physical Protection of Category 1 and Category 2 Quantities of Radioactive Material. Effective practices include physical security measures such | ||
as using locked rooms and enclosures for other types of digital assets, such as computers that | as using locked rooms and enclosures for other types of digital assets, such as computers that | ||
| Line 261: | Line 338: | ||
Some facilities use radiofrequency identification (RFID) personnel badges as part of their | Some facilities use radiofrequency identification (RFID) personnel badges as part of their | ||
access control systems. Licensees could consider whether their facilities could be susceptible | access control systems. Licensees could consider whether their facilities could be susceptible | ||
to badge-cloning attempts. Multifactor authentication measures, such as using a unique | to badge-cloning attempts. Multifactor authentication measures, such as using a unique | ||
passcode or biometric in association with use of the badge, can augment the secure use of | passcode or biometric in association with use of the badge, can augment the secure use of | ||
RFID badges. In addition, a cover or carrier used to shield an RFID personnel badge can | RFID badges. In addition, a cover or carrier used to shield an RFID personnel badge can | ||
prevent badge-cloning attempts. | prevent badge-cloning attempts. | ||
2 | |||
Beyond physical controls for protecting digital assets, other types of controls, which may be | Beyond physical controls for protecting digital assets, other types of controls, which may be | ||
| Line 277: | Line 354: | ||
technical (e.g., firewalls, account passwords, antivirus software) or administrative (e.g., policies, procedures, guidelines, training), can reduce the pathways available for a cyberattack. | technical (e.g., firewalls, account passwords, antivirus software) or administrative (e.g., policies, procedures, guidelines, training), can reduce the pathways available for a cyberattack. | ||
Security Information Technology Infrastructure | |||
Maintain an Accurate Inventory of Digital Assets and Eliminate Exposure to External | Maintain an Accurate Inventory of Digital Assets and Eliminate Exposure to External | ||
| Line 286: | Line 364: | ||
devices are connected to other business networks or the Internet is considered an effective | devices are connected to other business networks or the Internet is considered an effective | ||
practice for determining where pathways may exist for cyber threat access. Such an | practice for determining where pathways may exist for cyber threat access. Such an | ||
assessment could be done by mapping out all interconnectivities and dependencies, including | assessment could be done by mapping out all interconnectivities and dependencies, including | ||
perimeters and connections to other systems. Removing any unnecessary software or services | perimeters and connections to other systems. Removing any unnecessary software or services | ||
could eliminate any unnecessary routes for possible cyberattacks. | could eliminate any unnecessary routes for possible cyberattacks. | ||
| Line 298: | Line 376: | ||
Keeping digital assets isolated from one another (no communications connectivity, or creation of | Keeping digital assets isolated from one another (no communications connectivity, or creation of | ||
an isolated local area network (LAN)), when possible, is an effective practice. For example, licensees could maintain boundaries to isolate digital components related to operations | an isolated local area network (LAN)), when possible, is an effective practice. For example, licensees could maintain boundaries to isolate digital components related to operations | ||
(e.g., panoramic irradiators and gamma stereotactic radiosurgery units) from the digital | (e.g., panoramic irradiators and gamma stereotactic radiosurgery units) from the digital | ||
| Line 312: | Line 390: | ||
network segments, and it entails classifying and categorizing IT assets, data, and personnel into | network segments, and it entails classifying and categorizing IT assets, data, and personnel into | ||
specific groups and then restricting access to these groups. Through network segmentation, a | specific groups and then restricting access to these groups. Through network segmentation, a | ||
compromise of one device or sector cannot translate into the exploitation of an entire system. | compromise of one device or sector cannot translate into the exploitation of an entire system. | ||
| Line 318: | Line 396: | ||
Access to network areas can be restricted by isolating them entirely from each other or by | Access to network areas can be restricted by isolating them entirely from each other or by | ||
implementing firewalls or similar security features. A firewall is a software program or hardware | implementing firewalls or similar security features. A firewall is a software program or hardware | ||
device that filters the inbound and outbound traffic between different parts of a network or | device that filters the inbound and outbound traffic between different parts of a network or | ||
between a network and the Internet. Firewalls can be used to block malware delivery and | between a network and the Internet. Firewalls can be used to block malware delivery and | ||
attempts at the remote exploitation of various systems and to provide notification of all such | attempts at the remote exploitation of various systems and to provide notification of all such | ||
| Line 330: | Line 408: | ||
Disabling wireless interfaces when they are not needed and avoiding the use of wireless | Disabling wireless interfaces when they are not needed and avoiding the use of wireless | ||
communications for certain functions is an effective practice. In an automated system, avoiding | communications for certain functions is an effective practice. In an automated system, avoiding | ||
the use of wireless communications for any signal or control that is essential for a safety | the use of wireless communications for any signal or control that is essential for a safety | ||
function is an effective practice. When communicating between remote sites (i.e., sites that are | function is an effective practice. When communicating between remote sites (i.e., sites that are | ||
not part of the internal data communications), the licensee could consider encrypting data | not part of the internal data communications), the licensee could consider encrypting data | ||
| Line 342: | Line 420: | ||
transmitted. | transmitted. | ||
3 | |||
Use Secure Remote Access Methods | |||
If remote access is necessary, a higher level of security can be achieved through a secure | If remote access is necessary, a higher level of security can be achieved through a secure | ||
access method, such as use of a virtual private network (VPN). A VPN is an encrypted data | access method, such as use of a virtual private network (VPN). A VPN is an encrypted data | ||
channel for securely sending and receiving data through public IT infrastructure, like the | channel for securely sending and receiving data through public IT infrastructure, like the | ||
Internet. This remote access can be further hardened by reducing the number of Internet | Internet. This remote access can be further hardened by reducing the number of Internet | ||
Protocol (IP) addresses that can access it (i.e., by limiting access to only a specific set of IP | Protocol (IP) addresses that can access it (i.e., by limiting access to only a specific set of IP | ||
addresses through a firewall). A VPN is only as secure as the devices connected to it. For | addresses through a firewall). A VPN is only as secure as the devices connected to it. For | ||
example, a laptop infected with malware can introduce vulnerabilities into the network, which | example, a laptop infected with malware can introduce vulnerabilities into the network, which | ||
| Line 365: | Line 444: | ||
temporary remote access when they are not in use. | temporary remote access when they are not in use. | ||
Implement Measures for Network Port Access | |||
All open network ports on switches, routers, and firewalls could be access points that enable | All open network ports on switches, routers, and firewalls could be access points that enable | ||
cyber criminals to gain physical access to licensee networks and computer systems. Licensees | cyber criminals to gain physical access to licensee networks and computer systems. Licensees | ||
may consider disabling all open and unused network ports. Disabling any ports that will not be | may consider disabling all open and unused network ports. Disabling any ports that will not be | ||
used for an extended period (e.g., when an employee goes on extended leave) is an effective | used for an extended period (e.g., when an employee goes on extended leave) is an effective | ||
| Line 376: | Line 456: | ||
practice. | practice. | ||
Cyber Security Policies | |||
Use Strong Passwords, Change Default Passwords, and Consider Other Access Controls | Use Strong Passwords, Change Default Passwords, and Consider Other Access Controls | ||
Strong passwords and the use of different passwords for different accounts can keep systems | Strong passwords and the use of different passwords for different accounts can keep systems | ||
and information secure. Password policies that define how complex passwords need to be | and information secure. Password policies that define how complex passwords need to be | ||
generated and how often or under what condition they need to be changed are good preventive | generated and how often or under what condition they need to be changed are good preventive | ||
measures. The following techniques are useful in creating unique passwords: (1) avoid using | measures. The following techniques are useful in creating unique passwords: (1) avoid using | ||
passwords that are based on personal information that can be easily guessed, (2) use a | passwords that are based on personal information that can be easily guessed, (2) use a | ||
| Line 391: | Line 472: | ||
combination of capital and lowercase letters, numbers, and special characters, and (3) develop | combination of capital and lowercase letters, numbers, and special characters, and (3) develop | ||
mnemonics such as passphrases for remembering complex passwords. In addition, using | mnemonics such as passphrases for remembering complex passwords. In addition, using | ||
password managers and implementing policies of not reusing passwords across accounts are | password managers and implementing policies of not reusing passwords across accounts are | ||
| Line 399: | Line 480: | ||
and using account lockout controls that activate when too many incorrect passwords have been | and using account lockout controls that activate when too many incorrect passwords have been | ||
entered. Multifactor authentication, under which users must verify their identities whenever they | entered. Multifactor authentication, under which users must verify their identities whenever they | ||
attempt to sign in, is an effective practice. | attempt to sign in, is an effective practice. | ||
| Line 411: | Line 492: | ||
Maintain Awareness of Vulnerabilities and Implement Necessary Patches and Updates | Maintain Awareness of Vulnerabilities and Implement Necessary Patches and Updates | ||
Installing patches is an effective practice. Whenever a new flaw is discovered, the typical | Installing patches is an effective practice. Whenever a new flaw is discovered, the typical | ||
protocol is to alert the software developer immediately so that it can issue a patch. Automatic | protocol is to alert the software developer immediately so that it can issue a patch. Automatic | ||
updating of software and handheld devices provides the simplest means of protecting against | updating of software and handheld devices provides the simplest means of protecting against | ||
cyber vulnerabilities. Limiting upgrades such that only authorized administrators complete the | cyber vulnerabilities. Limiting upgrades such that only authorized administrators complete the | ||
upgrades and that patches and firmware are obtained only from authorized and reputable | upgrades and that patches and firmware are obtained only from authorized and reputable | ||
vendors can prevent hackers from using flaws to their advantage. Maintaining a list of security | vendors can prevent hackers from using flaws to their advantage. Maintaining a list of security | ||
4 | |||
patches and software updates can help ensure that systems are up to date as cyber threats and | patches and software updates can help ensure that systems are up to date as cyber threats and | ||
| Line 429: | Line 510: | ||
vulnerabilities are identified. | vulnerabilities are identified. | ||
Develop and Enforce Policies on Mobile Devices | |||
Establishing reasonable limitations for employees and contractors on the use of mobile devices | Establishing reasonable limitations for employees and contractors on the use of mobile devices | ||
| Line 440: | Line 522: | ||
enables access upon entry of a specific password and locks the device after repeated incorrect | enables access upon entry of a specific password and locks the device after repeated incorrect | ||
password entry attempts is an effective practice. The regulations in 10 CFR Part 37 do not | password entry attempts is an effective practice. The regulations in 10 CFR Part 37 do not | ||
prohibit the storage of sensitive, security-related information on mobile devices. Encryption, remote wipe capability (which allows licensees or device providers to remotely delete all data on | prohibit the storage of sensitive, security-related information on mobile devices. Encryption, remote wipe capability (which allows licensees or device providers to remotely delete all data on | ||
the devices if they are lost or stolen), and routine antivirus software use and update are | the devices if they are lost or stolen), and routine antivirus software use and update are | ||
| Line 454: | Line 536: | ||
subdirectories) can protect the sensitive or security-related information in a laptop or mobile | subdirectories) can protect the sensitive or security-related information in a laptop or mobile | ||
device, even if the hard drive is removed and reinstalled in a different system. Most modern | device, even if the hard drive is removed and reinstalled in a different system. Most modern | ||
operating systems (such as Microsoft Windows) have built-in encrypted file system functionality. | operating systems (such as Microsoft Windows) have built-in encrypted file system functionality. | ||
| Line 460: | Line 542: | ||
It is an effective practice to avoid joining unknown Wi-Fi networks or using public Wi-Fi hotspots, as adversaries could create fake Wi-Fi hotspots designed to attack mobile devices and may | It is an effective practice to avoid joining unknown Wi-Fi networks or using public Wi-Fi hotspots, as adversaries could create fake Wi-Fi hotspots designed to attack mobile devices and may | ||
patrol public Wi-Fi networks for unsecured devices. In addition, limiting the use of the hot-spot | patrol public Wi-Fi networks for unsecured devices. In addition, limiting the use of the hot-spot | ||
functionality on cell phones is effective practice because they can be used as an entry point for | functionality on cell phones is effective practice because they can be used as an entry point for | ||
| Line 474: | Line 556: | ||
(i.e., the item simply provides a container for electronic information storage and cannot be | (i.e., the item simply provides a container for electronic information storage and cannot be | ||
edited, such as compact disks, digital versatile disks, and magnetic tapes). Regardless of the | edited, such as compact disks, digital versatile disks, and magnetic tapes). Regardless of the | ||
type, protection of electronic media is an effective practice. | type, protection of electronic media is an effective practice. | ||
| Line 480: | Line 562: | ||
Labeling and controlling all electronic media and devices according to the highest sensitivity of | Labeling and controlling all electronic media and devices according to the highest sensitivity of | ||
information being stored on the media and devices is an effective practice. Tracking these | information being stored on the media and devices is an effective practice. Tracking these | ||
media and devices and documenting the individuals that have access to them is effective at | media and devices and documenting the individuals that have access to them is effective at | ||
| Line 496: | Line 578: | ||
Purging of all residual data on components that are no longer needed is an effective practice. | Purging of all residual data on components that are no longer needed is an effective practice. | ||
5 | |||
Implement Measures for Detecting Compromises and Develop a Cyber Security Incident | Implement Measures for Detecting Compromises and Develop a Cyber Security Incident | ||
Response Plan | |||
Implementing measures such as intrusion detection systems (IDSs) and intrusion prevention | Implementing measures such as intrusion detection systems (IDSs) and intrusion prevention | ||
systems (IPSs),2 antivirus software, and logs can help to detect compromises in their earliest | systems (IPSs),2 antivirus software, and logs can help to detect compromises in their earliest | ||
stages. Most IDSs and IPSs use signatures to detect port scans, malware, and other abnormal | stages. Most IDSs and IPSs use signatures to detect port scans, malware, and other abnormal | ||
network communications. | network communications. | ||
| Line 511: | Line 594: | ||
Cyber security incident response plans can limit damage and reduce recovery time and costs in | Cyber security incident response plans can limit damage and reduce recovery time and costs in | ||
the event of a cyber security incident. Plans may include measures for reacting to malware and | the event of a cyber security incident. Plans may include measures for reacting to malware and | ||
being prepared to operate manually, if needed. | being prepared to operate manually, if needed. | ||
| Line 521: | Line 604: | ||
applicable software, systems, and devices do not contain any known, exploitable cyber security | applicable software, systems, and devices do not contain any known, exploitable cyber security | ||
vulnerabilities and that they perform all the specified functions. The functionality of digital and | vulnerabilities and that they perform all the specified functions. The functionality of digital and | ||
software-based systems and assets after performing maintenance can be verified. Testing, updating, and patching digital and software-based systems and assets on a routine basis will | software-based systems and assets after performing maintenance can be verified. Testing, updating, and patching digital and software-based systems and assets on a routine basis will | ||
make the compromise of systems and devices more difficult. | make the compromise of systems and devices more difficult. | ||
| Line 537: | Line 620: | ||
2 An IDS is a device or software application that monitors a network or systems for malicious activity or policy | 2 An IDS is a device or software application that monitors a network or systems for malicious activity or policy | ||
violations. An IPS is a network security and threat prevention technology that examines network traffic flows | violations. An IPS is a network security and threat prevention technology that examines network traffic flows | ||
to detect and prevent the exploitation of vulnerabilities.}} | |||
{{Information notice-Nav}} | {{Information notice-Nav}} | ||
Latest revision as of 10:42, 6 January 2025
| ML18044A350 | |
| Person / Time | |
|---|---|
| Issue date: | 08/14/2019 |
| From: | Andrea Kock, Chris Miller Office of Nuclear Material Safety and Safeguards, Office of Nuclear Reactor Regulation |
| To: | |
| Lukes K | |
| References | |
| IN-19-004 | |
| Download: ML18044A350 (9) | |
UNITED STATES
NUCLEAR REGULATORY COMMISSION
OFFICE OF NUCLEAR MATERIAL SAFETY AND SAFEGUARDS
OFFICE OF NUCLEAR REACTOR REGULATION
WASHINGTON, DC 20555-001
August 14, 2019
NRC INFORMATION NOTICE 2019-04:
EFFECTIVE CYBER SECURITY PRACTICES
TO PROTECT DIGITAL ASSETS OF
BYPRODUCT MATERIALS LICENSEES
ADDRESSEES
All U.S. Nuclear Regulatory Commission (NRC) byproduct materials licensees that possess
risk-significant quantities of radioactive material and NRC master materials licensees. All
Agreement State Radiation Control Program Directors and State Liaison Officers.
PURPOSE
The NRC is issuing this information notice (IN) to inform licensees of the results of an
assessment conducted by the NRC staff on the potential need for cyber security requirements
for byproduct materials licensees and to communicate effective cyber security practices to
protect digital assets.
The information in this IN is not an NRC requirement; therefore, the NRC requires no specific
action or written response. The NRC is providing this IN to the Agreement States for their
information and for distribution to their applicable licensees, as appropriate.
BACKGROUND
In 2013, the NRC staff assessed the need for cyber security requirements for byproduct
materials licensees as part of its overall strategy to ensure that both reactor and nonreactor
licensees are providing adequate protection against cyber security threats. In 2014, the
Radiation Source Protection and Security Task Force, chaired by the NRC, recommended the
U.S. Government agencies assess the adequacy of and coordinate strategies for preventing
and mitigating cybersecurity vulnerabilities related to Category 1 and Category 2 radioactive
sources. The 2018 Radiation Source Protection and Security Task Force Report (ADAMS
Accession No. ML18235A370 (package)) reported on the NRCs assessment.
DISCUSSION
In the assessment, the NRC staff considered the need for protection from cyber threats to digital
assets in the following four usage categories: digital devices that support the physical security of
licensees facilities; equipment with software-based control, operation, and automation features;
computers used to maintain source inventories, audit data, and records necessary for
compliance with security requirements; and digital technology used to support incident response
communications and coordination.
The NRC staff concluded that the categories of licensees evaluated in this assessment do not
solely rely on digital systems to ensure safety or security. Generally, licensees apply a defense-in-depth approach to safety and security by using measures that include nondigital
features such as doors, locks, barriers, human resources, and operational processes in addition
to any digital assets. In addition, computers used to maintain source inventories, audit data, and records necessary for compliance with security requirements often use encryption, password protection, and other methods of limiting access to digital records to those who have
a need to know. As a result, the NRC staff determined that a compromise of the digital assets
used in these applications would not cause a direct dispersal of risk-significant quantities of
radioactive material1 or exposure of individuals to radiation without a concurrent and targeted
breach of the safety, security, and physical protection measures in force for these licensees.
The NRC staff also determined that the current cyber security threat that these licensees face
does not warrant the development of new regulations related to the protection of risk-significant
quantities of radioactive material against cyber security threats.
Although changes to the regulations are not necessary, the NRC staff concluded that
awareness of mechanisms and practices that can provide protection against cyber security
threats may be valuable to licensee operations and procedures. As a result, the enclosure to
this IN contains effective practices for licensee awareness. The NRC staff also determined that
providing a means to share relevant information resources with licensees would be prudent
because the cyber security threat landscape is constantly evolving. The Conclusion section of
this IN provides information on how to access these resources.
CONCLUSION
Implementation of the requirements found in 10 CFR Part 37 provides reasonable assurance of
adequate protection of public health and safety when considering the potential consequences of
a wide array of attack modes, including cyber. The enclosure to this IN provides additional
effective practices related to cyber security issues licensees may use as applicable.
Previously, the NRC staff provided additional details and examples of applicable effective
practices in guidance developed by the Office of Nuclear Reactor Regulation for nonpower
reactors, Cyber Security: Effective Practices for the Establishment and Maintenance of
Adequate Cyber Security at Non-Power (Research and Test) Reactor Facilities, dated
January 8, 2016 (ADAMS Accession No. ML15252A236 (package)).
In addition, the U.S. Food and Drug Administration (FDA) regulates the manufacturers of
medical devices. Additional information on the FDAs activities, role, and expectations for
continued cyber security of medical devices can be found at
https://www.fda.gov/downloads/medicaldevices/digitalhealth/ucm544684.pdf.
The National Institute of Standards and Technology Special Publication 800 Series is a set of
documents that provides U.S. Federal Government computer security policies, procedures, and
guidelines. These publications, available at https://csrc.nist.gov/publications/sp800, may be
useful to licensees by providing guidelines for workable and cost-effective methods for
optimizing the security of information technology (IT) systems and networks in a proactive
manner. The publications cover all procedures and criteria recommended by the National
1 Risk-significant quantities of radioactive material are defined as those that meet the thresholds for Category 1 and
Category 2 as included in Appendix A, Category 1 and Category 2 Radioactive Materials, of Title 10 of the Code of
Federal Regulations (CFR) Part 37, Physical Protection of Category 1 and Category 2 Quantities of Radioactive
Material. Institute of Standards and Technology for assessing and documenting threats and
vulnerabilities and for implementing security measures to minimize the risk of adverse events.
CONTACT
This IN requires no specific action or written response. Please direct any questions about this
matter to the technical contacts listed below.
/RA/
/RA/
Christopher G. Miller, Director
Andrea L. Kock, Director
Division of Inspection
Division of Materials Safety, Security, State, and Regional Support
and Tribal Programs
Office of Nuclear Reactor Regulation
Office of Nuclear Material Safety
and Safeguards
Technical Contacts: Kim Lukes, NMSS
(301) 415-6701
(301) 415-7842 E-mail: Kim.Lukes@nrc.gov
E-mail: Paul.Goldberg@nrc.gov
Note: NRC generic communications may be found on the NRC public Web site, http://www.nrc.gov, under NRC Library/Document Collections. NRC INFORMATION NOTICE 2019-04: EFFECTIVE CYBER SECURITY PRACTICES TO
PROTECT DIGITAL ASSETS OF BYPRODUCT MATERIALS LICENSEES
ADAMS Accession No.: ML18044A350
CAC/EPID: A11017/L-2019-GEN-0000
- - via email
OFFICE
NMSS/SMPB/TR
NMSS/SMPB/TR
QTE
NMSS/SMPB/BC
NMSS/ASPB/BC
NAME
PGoldberg
KLukes
JDougherty*
ZCruzPerez*
PMichalak*
DATE
03/19/19
03/19/19
03/28/19
05/22/19
05/29/19 OFFICE
NRR/DIRS/IRGB/PM
NRR/DIRS/IRGB/OLA
NRR/DIRS/IRGB/ BC
NMSS/MSST/D
NRR/DIRS/D
NAME
TGovan*
IBetts*
TInverso*
AKock
CMiller
DATE
06/03/19
06/06/19
06/11/19
08/13/19
08/14/19 Official Record Copy
Enclosure
EFFECTIVE CYBER SECURITY PRACTICES TO PROTECT DIGITAL ASSETS OF
BYPRODUCT MATERIALS LICENSEES
EFFECTIVE PRACTICES
Personnel
Define Roles and Responsibilities
Effective practices include instituting role-based access controls to network resources based on
personnel job functions. Limiting permissions through access controls can reduce the risk of
compromise to systems and facilitate better tracking of network intrusions and suspicious
activities. In addition, restricting the number of personnel granted administrative (i.e., super
user or root) rights or accounts on each digital asset and ensuring that all such personnel
have the applicable training and experience in administrative functions for those digital assets is
an effective practice.
Implement Staff Cyber Security Training
One of the best means of preventing cyberattacks is to educate personnel who perform
administrative functions or use digital assets about the mechanisms by which cyberattacks may
be carried out and strategies to protect them. Effective initial and periodic cyber security
training may include information on social engineering methods that malicious actors might use
to attempt to entice employees into providing sensitive personal or corporate information
through phishing, phone calls, or other types of personal interactions; smart browsing practices
such as awareness of malware, updating systems, and installing patches; password policies;
use of portable electronic media and devices; use of wireless communications; appropriate
incident response and reporting; and awareness of relevant information technology (IT) policies
and procedures related to the employees job activities.
Physical Security
Part of the effort to protect digital assets against cyberattacks involves ensuring that physical
security is in place. Devices containing risk-significant radioactive materials that have digital
components to their operations, such as panoramic irradiators and stereotactic radiosurgery
devices, are typically located within security zones that are already subject to Title 10 of the
Code of Federal Regulations (CFR) Part 37, Physical Protection of Category 1 and Category 2 Quantities of Radioactive Material. Effective practices include physical security measures such
as using locked rooms and enclosures for other types of digital assets, such as computers that
house sensitive security-related information.
Some facilities use radiofrequency identification (RFID) personnel badges as part of their
access control systems. Licensees could consider whether their facilities could be susceptible
to badge-cloning attempts. Multifactor authentication measures, such as using a unique
passcode or biometric in association with use of the badge, can augment the secure use of
RFID badges. In addition, a cover or carrier used to shield an RFID personnel badge can
prevent badge-cloning attempts.
2
Beyond physical controls for protecting digital assets, other types of controls, which may be
technical (e.g., firewalls, account passwords, antivirus software) or administrative (e.g., policies, procedures, guidelines, training), can reduce the pathways available for a cyberattack.
Security Information Technology Infrastructure
Maintain an Accurate Inventory of Digital Assets and Eliminate Exposure to External
Networks
Maintaining an inventory of the facilitys digital assets and specifying which, if any, of those
devices are connected to other business networks or the Internet is considered an effective
practice for determining where pathways may exist for cyber threat access. Such an
assessment could be done by mapping out all interconnectivities and dependencies, including
perimeters and connections to other systems. Removing any unnecessary software or services
could eliminate any unnecessary routes for possible cyberattacks.
Implement Local Networks or Network Segmentation and Apply Firewalls
Keeping digital assets isolated from one another (no communications connectivity, or creation of
an isolated local area network (LAN)), when possible, is an effective practice. For example, licensees could maintain boundaries to isolate digital components related to operations
(e.g., panoramic irradiators and gamma stereotactic radiosurgery units) from the digital
components of the physical security systems (e.g., the intrusion detection devices/systems).
This concept also applies in large radioactive material licensee settings (e.g., hospitals and
college campuses) where there is mass interconnectivity of LANs.
As another practice, network segmentation, divides a computer network into subnetworks or
network segments, and it entails classifying and categorizing IT assets, data, and personnel into
specific groups and then restricting access to these groups. Through network segmentation, a
compromise of one device or sector cannot translate into the exploitation of an entire system.
Access to network areas can be restricted by isolating them entirely from each other or by
implementing firewalls or similar security features. A firewall is a software program or hardware
device that filters the inbound and outbound traffic between different parts of a network or
between a network and the Internet. Firewalls can be used to block malware delivery and
attempts at the remote exploitation of various systems and to provide notification of all such
attempts.
Disabling wireless interfaces when they are not needed and avoiding the use of wireless
communications for certain functions is an effective practice. In an automated system, avoiding
the use of wireless communications for any signal or control that is essential for a safety
function is an effective practice. When communicating between remote sites (i.e., sites that are
not part of the internal data communications), the licensee could consider encrypting data
communications, as appropriate and commensurate with the sensitivity of the data being
transmitted.
3
Use Secure Remote Access Methods
If remote access is necessary, a higher level of security can be achieved through a secure
access method, such as use of a virtual private network (VPN). A VPN is an encrypted data
channel for securely sending and receiving data through public IT infrastructure, like the
Internet. This remote access can be further hardened by reducing the number of Internet
Protocol (IP) addresses that can access it (i.e., by limiting access to only a specific set of IP
addresses through a firewall). A VPN is only as secure as the devices connected to it. For
example, a laptop infected with malware can introduce vulnerabilities into the network, which
can lead to additional infections and negate the security of the VPN.
Another practice is to disconnect and remove telephone modems and phone lines used for
temporary remote access when they are not in use.
Implement Measures for Network Port Access
All open network ports on switches, routers, and firewalls could be access points that enable
cyber criminals to gain physical access to licensee networks and computer systems. Licensees
may consider disabling all open and unused network ports. Disabling any ports that will not be
used for an extended period (e.g., when an employee goes on extended leave) is an effective
practice.
Cyber Security Policies
Use Strong Passwords, Change Default Passwords, and Consider Other Access Controls
Strong passwords and the use of different passwords for different accounts can keep systems
and information secure. Password policies that define how complex passwords need to be
generated and how often or under what condition they need to be changed are good preventive
measures. The following techniques are useful in creating unique passwords: (1) avoid using
passwords that are based on personal information that can be easily guessed, (2) use a
combination of capital and lowercase letters, numbers, and special characters, and (3) develop
mnemonics such as passphrases for remembering complex passwords. In addition, using
password managers and implementing policies of not reusing passwords across accounts are
effective practices, as well as changing all default passwords upon installation of new software
and using account lockout controls that activate when too many incorrect passwords have been
entered. Multifactor authentication, under which users must verify their identities whenever they
attempt to sign in, is an effective practice.
Providing temporary accounts for vendor or contractor support and updating password and user
account policies to identify events that would trigger a need to remove an account are effective
practices.
Maintain Awareness of Vulnerabilities and Implement Necessary Patches and Updates
Installing patches is an effective practice. Whenever a new flaw is discovered, the typical
protocol is to alert the software developer immediately so that it can issue a patch. Automatic
updating of software and handheld devices provides the simplest means of protecting against
cyber vulnerabilities. Limiting upgrades such that only authorized administrators complete the
upgrades and that patches and firmware are obtained only from authorized and reputable
vendors can prevent hackers from using flaws to their advantage. Maintaining a list of security
4
patches and software updates can help ensure that systems are up to date as cyber threats and
vulnerabilities are identified.
Develop and Enforce Policies on Mobile Devices
Establishing reasonable limitations for employees and contractors on the use of mobile devices
(e.g., laptops, tablets, and smartphones) in the conduct of business in the office or at an offsite
workplace is an effective practice.
Enhancing the security of mobile devices by configuring them with a password feature that only
enables access upon entry of a specific password and locks the device after repeated incorrect
password entry attempts is an effective practice. The regulations in 10 CFR Part 37 do not
prohibit the storage of sensitive, security-related information on mobile devices. Encryption, remote wipe capability (which allows licensees or device providers to remotely delete all data on
the devices if they are lost or stolen), and routine antivirus software use and update are
additional effective practices for mobile devices, as well as securely deleting all stored
information on devices before discarding them.
Enabling full-disk or folder encryption (i.e., the encryption of all files in a directory and its
subdirectories) can protect the sensitive or security-related information in a laptop or mobile
device, even if the hard drive is removed and reinstalled in a different system. Most modern
operating systems (such as Microsoft Windows) have built-in encrypted file system functionality.
It is an effective practice to avoid joining unknown Wi-Fi networks or using public Wi-Fi hotspots, as adversaries could create fake Wi-Fi hotspots designed to attack mobile devices and may
patrol public Wi-Fi networks for unsecured devices. In addition, limiting the use of the hot-spot
functionality on cell phones is effective practice because they can be used as an entry point for
tampering.
Develop and Enforce Policies on Electronic Media and Device Handling
Electronic media can be either active (i.e., items can be edited, such as hard drives, secure
digital memory cards, subscriber identity module cards, and USB memory sticks) or passive
(i.e., the item simply provides a container for electronic information storage and cannot be
edited, such as compact disks, digital versatile disks, and magnetic tapes). Regardless of the
type, protection of electronic media is an effective practice.
Labeling and controlling all electronic media and devices according to the highest sensitivity of
information being stored on the media and devices is an effective practice. Tracking these
media and devices and documenting the individuals that have access to them is effective at
preventing cyber attacks.
Whether active or passive media are used to transfer information to a system, the content of the
data container on the media can be a vehicle for viruses, malware, or other malicious code.
When loading or copying information onto a digital asset, an antivirus scan can be conducted on
the media used for the transfer.
Purging of all residual data on components that are no longer needed is an effective practice.
5
Implement Measures for Detecting Compromises and Develop a Cyber Security Incident
Response Plan
Implementing measures such as intrusion detection systems (IDSs) and intrusion prevention
systems (IPSs),2 antivirus software, and logs can help to detect compromises in their earliest
stages. Most IDSs and IPSs use signatures to detect port scans, malware, and other abnormal
network communications.
Cyber security incident response plans can limit damage and reduce recovery time and costs in
the event of a cyber security incident. Plans may include measures for reacting to malware and
being prepared to operate manually, if needed.
Develop and Enforce Policies on Maintenance and Testing
Cyber security testingparticularly before deploying new componentscan verify that
applicable software, systems, and devices do not contain any known, exploitable cyber security
vulnerabilities and that they perform all the specified functions. The functionality of digital and
software-based systems and assets after performing maintenance can be verified. Testing, updating, and patching digital and software-based systems and assets on a routine basis will
make the compromise of systems and devices more difficult.
If the maintenance and support of digital assets is outsourced to vendors, it is an effective
practice to establish a means of confirming that the remote support from vendors or IT
organizations is secure and that vendor support personnel can handle cyber security-related
issues.
2 An IDS is a device or software application that monitors a network or systems for malicious activity or policy
violations. An IPS is a network security and threat prevention technology that examines network traffic flows
to detect and prevent the exploitation of vulnerabilities.