Text

IAEA Technical Meeting on Instrumentation and Control and Computer Security for Small Modular Reactors and Microreactors February 21-25, 2022

U.S. A. Regulatory Efforts for Cyber Security of Advanced Reactors

Juris Jauntirans Ismael Garcia Michael T. Rowland Cyber Security Specialist Senior Level Advisor, Cyber Security and Sandia National Laboratory U.S. Nuclear Regulatory Commission Digital Instrumentation and Control U.S. Nuclear Regulatory Commission Draft Cyber Security Requirements fo r Advanced Re a c t o rs

2 Background - Found in 10 CFR 73.54 Po w e r Reactors Protect digital assets that perform Cyber specified functions Requirements Protect from cyber attacks up to an including a DBT

3 Proposed New Cyber Requirements

10 CFR Part 53 Preliminary New Cyber development for Proposed Rule Requirements in Advanced Reactors Language Proposed Rule Publicly Available

4 Preliminary Proposed Cyber Requirements

Reference:

Part 73.110, "Technology Neutral Requirements for Protection of Digital Computer and Communication Systems and Networks, ADAMS Accession Number ML21308A026 5 10 CFR 73.110 D ra f t Regulatory Guide Concepts

6 Draft Regulatory Guide Development

An acceptable Effective guidance Leverage approach for to support a IAEA and IEC meeting the performance-security 10 CFR 73.110 based regulatory approaches requirements framework

7 Facility Level D ra f t Regulatory Guide - Function Level Three-Tier Analysis Approach System Level

8 CEAS: Cyber-Enabled Accident Scenario Important Terminology CEIS: Cyber-Enabled Physical Intrusion Scenario

9 Overview of Draft Regulatory Guide Performance-based/Risk Informed Approach

S TA R T -

Existing Safety and Security Analyses

Evaluate DB and PPS for Update protection against CEAS DB and/or PPS Facility and CEIS Level Ye s CEAS or CEIS Security result in 10 CFR By 73.110(a) Ye s Design consequences? Feasible?

No No DB elements and PPS features ensure that Develop Adversary potential cyber attacks do not result in 10 CFR 73.110(a) Functional Scenarios Function consequences Level

DB - Design Basis PPS-Physical Protection Systems CEIS-Cyber Enabled Intrusion Scenario CEAS-Cyber Enabled Accident Scenario 10 Overview of Draft Regulatory Guide Performance -based/Risk Informed Approach (Cont.)

Specify CSP and DCSA elements (e. g.,

prohibitions, passive/deterministic devices) to eliminate or mitigate attacks Ye s

Function Do unmitigated Level Passive Ye s Adversary Defense Functional Feasible? Scenarios remain?

No No

Document CSP and DCSA Optional elements required to prevent credible cyber attack scenarios

CSP-Cyber Security Plan DCSA-Defensive Computer Security Architecture 11 Overview of Draft Regulatory Guide Performance-based/Risk Informed Approach (Cont.)

Identify Critical Functions and Systems

Develop or Update Adversary Technical Sequences System Level Specify active CSP and DCSA

elements (e.g., detection and response systems) and System Cyber Security Controls

Document CSP and DCSA Ye s NoUnmitigated elements, including cyber Sequences? security controls, needed to protect against cyber attacks

CSP-Cyber Security Plan DCSA-Defensive Computer Security Architecture 12 Continue work on Proposed Cyber Requirements and draft Future Regulatory Guide Wo r k Inclusion in Part 53 rulemaking package

13 14