ML18227A182
ML18227A182 | |
Person / Time | |
---|---|
Issue date: | 08/15/2018 |
From: | Lawson-Jenkins K M NRC/NSIR/DPCP/CSB |
To: | |
References | |
DG-5061, RG-5.71 | |
Download: ML18227A182 (12) | |
Text
Revision of RG 5.71(Draft Guidance 5061)Kim Lawson
-JenkinsCyber Security BranchDivision of Physical and Cyber Security PolicyOffice of Nuclear Security and Incident Response 1
2Reasons for revising RG 5.71
- RG 5.71 released in 2010
- Since 2010-
-New NRC regulation
-Implementation of cyber security plans at licensees' plants-Milestone 1
-7 cyber security inspections
-NEI 13-10-Addendums to NEI 08
-09*Work began on DG
-5061 in spring 2016 Scope of Updates
- Clarify existing interpretation of regulations
- Based on lessons learned from Milestones 1
-7 inspections
- Changes apply going forward*New regulation since 2010
-Cyber security event notification
-53 r4*New IAEA security guidance 3
4Dependencies
- Resolution of SFAQs oDeterministic Devices oData Integrity oMoving Data Between Security Levels oTreatment of Maintenance & Test Equipment
- Outcome of 2016 Table Top Exercises oDetection Response and Elimination oMonitoring and Assessment oDrills and Exercises
- NEI 08-09 Addendums Staff Regulatory GuidanceAsset Identification associated with 10 CFR 73.54*Balance of Plant Equipment
- The importance of identifying attack surfaces and attack pathways in the analysis of digital systems 5
Staff Regulatory GuidanceProtection of digital assets 6
Staff Regulatory GuidanceProtection of digital assets
- Purpose of security controls -Control intent added to Appendices B and C
- Reducing or eliminating attack surfaces and attack pathwaysEffectiveness of security measures
- Cyber security metrics
-What is being measured?
-Why is it being measured?
-What do the metrics mean?
7 KStaff Regulatory Guidance 8The Big PictureSSEP functionsCDACDACDACDAsSecurity ControlsKnowledge of Attack Surfacesand PathwaysPerformApplied ToContinuously Monitored for EffectivenessCyber Security Plan Other Changes
- Defensive Architecture
- Glossary*References
- Appendix A (CSP template)
-only editorial changes 9 Appendices B & C (security controls) 10 DG-5061NEI 08-09Rationale for change/differenceB.1.9Previous Logon NotificationRemoved controlIntent covered in covered in logging/audit controlsB.1.11 Supervision and Review
-Access ControlRemoved controlIntent covered in covered in logging/audit controlsB.1.14 Automated LabelingRemoved controlRemoved controlIntent is covered in C.1.3 Media Labeling/MarkingB.3.5 Resource PriorityRemoved controlRemoved control Anysafety requirements for resource priority would have precedence. This control is usually applicable in the design phase of a digital device.B.3.19 Thin NodesRemoved controlRemoved controlThis control would becovered inthe B.5.1 Removal of Unnecessary Services and Programs. B.3.20Heterogeneity/DiversityRemoved controlDifferentdepending on safety or security context.B.3.21Fail in a known stateRemoved controlImportantfor security Tentative Schedule
- Public Comment Period
-60 days*Comments Resolution
-late 2018*Publication of RG 5.71 rev 1
-early 2019 11 Questions 12