ML21320A055
| ML21320A055 | |
| Person / Time | |
|---|---|
| Issue date: | 10/22/2021 |
| From: | Advisory Committee on Reactor Safeguards |
| To: | |
| Antonescu, C, ACRS | |
| References | |
| NRC-1727 | |
| Download: ML21320A055 (249) | |
Text
Official Transcript of Proceedings NUCLEAR REGULATORY COMMISSION
Title:
Advisory Committee on Reactor Safeguards Digital Instrumentation and Control Docket Number: (n/a)
Location: teleconference Date: Friday, October 22, 2021 Work Order No.: NRC-1727 Pages 1-204 NEAL R. GROSS AND CO., INC.
Court Reporters and Transcribers 1716 14th Street, N.W., Suite 200 Washington, D.C. 20009 (202) 234-4433
1 1
2 3
4 DISCLAIMER 5
6 7 UNITED STATES NUCLEAR REGULATORY COMMISSIONS 8 ADVISORY COMMITTEE ON REACTOR SAFEGUARDS 9
10 11 The contents of this transcript of the 12 proceeding of the United States Nuclear Regulatory 13 Commission Advisory Committee on Reactor Safeguards, 14 as reported herein, is a record of the discussions 15 recorded at the meeting.
16 17 This transcript has not been reviewed, 18 corrected, and edited, and it may contain 19 inaccuracies.
20 21 22 23 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com
1 1 UNITED STATES OF AMERICA 2 NUCLEAR REGULATORY COMMISSION 3 + + + + +
4 ADVISORY COMMITTEE ON REACTOR SAFEGUARDS 5 (ACRS) 6 + + + + +
7 DIGITAL I&C SUBCOMMITTEE 8 + + + + +
9 FRIDAY 10 OCTOBER 22, 2021 11 + + + + +
12 The Subcommittee met via Videoconference, 13 at 9:30 a.m. EDT, Charles Brown, Chairman, presiding.
14 COMMITTEE MEMBERS:
15 CHARLES H. BROWN, JR., Chairman 16 RONALD G. BALLINGER, Member 17 VICKI BIER, Member 18 VESNA B. DIMITRIJEVIC, Member 19 GREG HALNON, Member 20 WALTER L. KIRCHNER, Member 21 JOSE MARCH-LEUBA, Member 22 DAVID A. PETTI, Member 23 MATTHEW W. SUNSERI, Member 24 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
2 1 ACRS CONSULTANT:
2 MYRON HECHT 3 DESIGNATED FEDERAL OFFICIAL:
4 CHRISTINA ANTONESCU 5 ALSO PRESENT:
6 SCOTT MOORE, ACRS Executive Director 7 SABRINA ATACK, NSIR 8 MEKONEN BAYSSIE, RES 9 JIM BEARDSLEY, NSIR 10 ERIC BENNER, NRR 11 SUSHIL BIRLA, RES 12 CHRISTOPHER BROWN, ACRS 13 LARRY BURKHART, ACRS 14 TOM DASHIELL, ACRS 15 RONALDO JENKINS, RES 16 JEANNE JOHNSTON, NRR 17 ANYA KIM, RES 18 KIM LAWSON-JENKINS, NSIR 19 ERIC LEE, NSIR 20 HOSSEIN NOURBAKHSH, ACRS 21 MERAJ RAHIMI, RES 22 DAVID RAHN, NRR 23 ERICK RODRIGUEZ MARTINEZ 24 MICHELE SAMPSON, NSIR 25 TAMMY SKOV, ACRS NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
3 1 DINESH TANEJA, NRR 2 WEIDONG WANG, ACRS 3 DEREK WIDMAYER, ACRS 4 BRIAN YIP, NSIR 5
6 7
8 9
10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
4 1 CONTENTS 2 Opening Remarks . . . . . . . . . . . . . . . . . 5 3 Introductory Remarks . . . . . . . . . . . . . . 8 4 Background . . . . . . . . . . . . . . . . . . . 12 5 Purpose and Goals for Development of 6 Proposed Rev. 1 to RG 5.71 . . . . . . . . . . . 84 7 Status and Next Steps for Completion of 8 Final Rev. 1 to RG 5.71 . . . . . . . . . . . . 147 9 Q&A . . . . . . . . . . . . . . . . . . . . . . 200 10 Closing Remarks . . . . . . . . . . . . . . . . 204 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
5 1 P R O C E E D I N G S 2 9:34 a.m.
3 CHAIR BROWN: All right, I'm going to call 4 the meeting to order. This is a meeting of the 5 digital instrumentation and control Subcommittee. I'm 6 Charles Brown, Chairman of the Subcommittee Meeting.
7 ACRS Members in attendance are Matt 8 Sunseri, Vesna Dmitrijevic, Ron Ballinger, Dave Petty, 9 Walt Kirchner, Vicki Bier, Gregory Hallman, and is our 10 consultant, Myron, on right now, Christina?
11 MS. ANTONESCU: Yes, Myron is on the 12 phone, yes.
13 CHAIR BROWN: Okay, I didn't see the other 14 thing. Thanks, Myron.
15 MR. HECHT: Good morning, Charlie.
16 CHAIR BROWN: Jose March-Leuba will be 17 late, he has something to take care of. Christina 18 Atonescu of the ACRS Staff is the designated federal 19 official for this meeting.
20 I presume, Christina, the court reporter 21 is on.
22 MS. ANTONESCU: Yes, Member Brown.
23 CHAIR BROWN: The purpose of this meeting 24 is for the Staff to brief the Subcommittee on proposed 25 Revision 1 to Regulatory Guide 5.71, Cybersecurity NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
6 1 Programs for Nuclear Facilities, Draft Guide 5061, 2 Revision 1.
3 The ACRS was established by statute and it 4 was governed by the Federal Advisory Committee Act, 5 FACA. That means the Committee can only speak through 6 its published letter reports. We hold meetings to 7 gather information to support our deliberations.
8 Interested parties who wish to provide 9 comments can contact our office requesting time. That 10 said, we set aside 10 minutes for comments from 11 members of the public attending or listening to our 12 meetings.
13 Written comments are also welcome. The 14 meeting agenda for today was published on the NRC 15 public meeting website as well as the ACRS meeting 16 website. On the agenda for this meeting and on the 17 ACRS meeting website are instructions as to how the 18 public may participate.
19 No request for making a statement to the 20 Subcommittee has been received from the public. Due 21 to COVID-19, we are conducting today's meeting 22 virtually. A transcript of the meeting is being kept 23 and will be made available on our website.
24 Therefore, we request that participants in 25 this meeting first identify themselves and speak with NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
7 1 sufficient clarity and volume so that they can be 2 readily heard. All presenters, please pause from time 3 to time to allow members to ask questions.
4 Please also indicate the slide number you 5 are on when moving to the next slide. We have the MS 6 Team phone line, audio only, established for the 7 public to listen to the meeting.
8 Based on our experience from previous 9 virtual meetings, I would like to remind the speakers 10 and presenters to speak slowly. We will take a short 11 break after each presentation to allow time for 12 screen-sharing as well as the Chairman's discretion 13 during longer presentations.
14 Lastly, please do not use any virtual 15 meeting feature to conduct sidebar technical 16 discussions. Rather, contact the DFO if you have any 17 technical questions so that we can bring those to the 18 fore.
19 Before I proceed onto Ms. Lawson-Jenkins 20 to share her screen and Michelle to provide comments, 21 I'd like to remind everybody this is a Subcommittee 22 meeting and comments or suggestions or recommendations 23 which appear to be recommendations made by Committee 24 Members as well as myself are our opinions and are not 25 the Committee opinion.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
8 1 They will not be Committee opinions until 2 we formally complete this process with a full 3 Committee meeting and we prepare a letter report, 4 where we will end up with a consensus set of comments, 5 observations, or recommendations.
6 We will now proceed with the meeting and 7 I will ask Ms. Lawson-Jenkins of the cybersecurity 8 Branch and the Office of Nuclear Security and Incident 9 Response to share her screen with us, which she has 10 done, while Michele Sampson, the Deputy Director of 11 the Division of Cybersecurity Policy in the Office of 12 Nuclear Security and Incident Response for any 13 introductory remarks you care to make before we begin 14 today's presentations.
15 So, Michele, it's your floor.
16 MS. SAMPSON: Thank you, good morning. We 17 appreciate this opportunity to brief the digital INC 18 Subcommittee on our revision to Regulatory Guide 5.71, 19 cybersecurity programs for nuclear power reactors.
20 We will share with you how the regulatory 21 guide update was informed by lessons learned from our 22 oversight inspections at the operating fleet, and 23 changes in standards and technology.
24 The Staff have inspected each operating 25 station at least twice over the past nine years, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
9 1 evaluating both their interim implementation and 2 subsequently the full implementation of each 3 cybersecurity program.
4 Additionally, during the 11 years since 5 Reg Guide 571 was published, the national institute of 6 standards and the International Atomic Energy Agency, 7 IAEA, have developed standards for nuclear 8 applications and industrial control systems that 9 provide additional guidance that we have incorporated 10 into this revision.
11 Our NSIR Staff are working closely with 12 the regional cybersecurity inspection branches and 13 NRR's Division of Engineering to prepare for 14 inspection of future digital INC upgrades.
15 We do not anticipate that licensees will 16 need to submit amendments to the licensee 17 cybersecurity plans as a result of the digital INC 18 upgrades. However, we expect that inspection will be 19 a key tool that we use to verify the continued 20 effectiveness of cybersecurity protections.
21 The Staff have supported Region 4 and the 22 NRR vendor inspection team during inspection of the 23 Waterford digital INC upgrade factory acceptance 24 testing. We have also supported the pre-licensing 25 activity for the future Turkey Point digital INC NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
10 1 upgrade.
2 NSIR is actively evaluating cybersecurity 3 threat through our Intelligence and Threat Assessment 4 Branch and interagency liaison.
5 Our Staff are working with the Office of 6 Research to evaluate future innovation activities and 7 to understand the potential impacts on the current 8 cybersecurity infrastructure with safety and security 9 as our primary focus.
10 The cybersecurity program as it's defined 11 in Reg Guide 571, is a holistic program that addresses 12 the protection for safety, security, and emergency 13 preparedness digital assets through defense in-depth 14 across their lifecycle.
15 The regulatory guide describes the steps 16 to conduct a detailed analysis of critical systems and 17 the associated digital assets to understand the whole 18 of what's being protected and ensure a comprehensive 19 cybersecurity program.
20 Kim will walk through these critical 21 requirements for developing an effective cybersecurity 22 program today.
23 As part of our review of updated standards 24 and other guidance, the Staff have reviewed Reg Guide 25 1.152, Revision 3, criteria for use of computers and NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
11 1 safety systems of nuclear power-plants and identified 2 appropriate reference points in the draft of Reg Guide 3 571 to reference to Reg Guide 1.152 prior to EDO 4 direction earlier this year.
5 Following receipt of that direction, the 6 Staff reviewed the draft and continue to feel that it 7 has clear guidance to encourage the consideration of 8 cybersecurity during design as well as a clear 9 description of the cybersecurity requirements that 10 must be met before an operating license can be issued 11 for a new reactor.
12 In addition to considering new 13 technologies as they pertain to the operating fleet, 14 we are also preparing for a new advanced reactor 15 design.
16 As you heard at the July 22and meeting 17 with this Subcommittee, the cybersecurity staff are 18 actively developing a consequence-based framework for 19 advanced reactors with the goal of ensuring an 20 equivalent level of protection in a technology-neutral 21 framework.
22 We have and will continue to engage with 23 a broad range of stakeholders to gather insights as we 24 move forward rules, techs, and guidance.
25 We believe that a consequence and NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
12 1 performance-based approach will provide the most 2 effective framework to ensure safety and security 3 given the potential breadth of reactor technologies 4 and the ever-changing cyberthreat landscape.
5 Issuing the revised Reg Guide 571 is one 6 of our first steps moving in that direction.
7 The concludes my remarks and I will now 8 turn to Kim Lawson-Jenkins. Thank you.
9 MS. LAWSON-JENKINS: Thank you, Michele, 10 for the introductory remarks. As was said, my name is 11 Kim Lawson-Jenkins, I'm a Staff Member of the 12 Cybersecurity Branch in the Office of Nuclear Security 13 and Incident Response.
14 My colleague, Brian Yip, is advancing the 15 slide for me so Brian, let's advance to Slide 2. I'm 16 going to start with an overview of the presentation 17 where I first talk about the key messages of it, the 18 background of Reg Guide 571, and then the inspection 19 program that we've had here at the NRC.
20 We're specifically getting to the major 21 updates that we had to the reg guide and discuss the 22 conclusion and questions and answers. That will be a 23 final question and answer.
24 I'm really looking forward to questions 25 and answers throughout the presentation on different NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
13 1 slides to find any clarification as needed. Slide 3?
2 Since 2012, operating nuclear power-plant 3 licensees have implemented cybersecurity programs and 4 the NRC has implemented effectiveness oversight of the 5 ECSPs. This was mentioned by Michele in her 6 introductory remarks.
7 I want to emphasize there has been no 8 changes in the Staff's position since the introduction 9 of Reg Guide 571. Only clarifications that we found 10 were needed throughout the implementation of the 11 different programs.
12 And one new NRC regulation, Title 10 CFR 13 Part 73-77, which was the new rule for cybersecurity 14 event notifications. The draft guidance 5061 reflects 15 the lessons learned that we've had since the issuance 16 of Reg Guide 571 in 2010.
17 And it's going to form the basis of how we 18 go forward in the future with the program. Next 19 slide, please, Brian.
20 As Michele also mentioned, there was a 21 presentation to this very same Committee in July and 22 I'm going to just briefly cover some of the same 23 ground because it is really critical to understand the 24 work that we've actually done within the Cybersecurity 25 Branch that's going to be reflected in this new NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
14 1 update.
2 In 2009, the cybersecurity rule was made 3 effective, that's 10 CFR 7354. And the following year 4 in 2010, the NRC and NEI established regulatory guides 5 guidance for implementing a cybersecurity program.
6 And both of those documents were deemed 7 acceptable for use by licensees. In 2011, the 8 industry and NRC agreed on interim milestones, 9 Milestones 1 through 7, to implement a cybersecurity 10 program.
11 And those interim guidelines were 12 implemented in 2012. From 2013 to 2015, the NRC 13 conducted inspections of the milestone 14 implementations. The new cybersecurity notification 15 rule became effective after the interim plans were 16 effective.
17 And starting in 2107, we began inspections 18 of the full implementation of the cybersecurity 19 programs. During all this time there was a lot of work 20 that was done.
21 We've worked with industry, generated 22 security frequently asked questions and guidance for 23 the licensees when there was some questions about how 24 to really implement the program.
25 NEI 1310 Assessment of Cybersecurity NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
15 1 Controls was generated by the industry, which is by a 2 document that says based on the consequence of the 3 devices being protected by the system that's being 4 protected, a set of security controls will be applied.
5 We participated in several workshops and 6 table-top exercises with the industry to clarify what 7 we saw as appropriate implementation of programs.
8 So, there was a lot of work going on, not 9 just the inspections but a lot of the discussions back 10 and forth with industry so that we had a common view 11 of what adequate implementation of the program would 12 be.
13 Next slide, Brian, Slide 5?
14 CHAIR BROWN: Can you stick with that 15 slide for a minute?
16 MS. LAWSON-JENKINS: Yes, Slide 4.
17 CHAIR BROWN: I want to provide just an 18 observation on a perspective.
19 This is not bad, good, or anything else, 20 it's just an observation based on how back in the 2009 21 timeframe when we started down this path of trying to 22 deal with the cyber issues, I came on the Committee in 23 2008, May.
24 And I actually wrote the letter on Rev 0 25 for Reg Guide 5.71 for the Committee, along with NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
16 1 George Apostolakis, who was on the Committee at that 2 time as well.
3 And thinking on the big-picture aspect, we 4 did really focus or understand one of the key points 5 of the introduction part of Rev 0, where you talk 6 about this reg guide -- I might as well, instead of 7 paraphrasing, since I have it open, it said this 8 regulatory guide applies to operating reactors 9 licensed in accordance with 10 CFR 50 and all that 10 kind of stuff.
11 It very clearly states that. We were just 12 starting into the ESVWR AP1000, the new design 13 Applicants that were on board.
14 We never connected the dots on the fact 15 that this said only operating reactors was going to 16 prevent the use of these concepts during our review of 17 the new Applicants.
18 I'm not criticizing anything, that's just 19 a fact. We didn't think about it at that time from 20 that standpoint.
21 As you're well aware of, we've made that 22 comment several times over the last few years as well 23 as in one of our more recent letters on the ability to 24 use the methods in this document during the 25 certification process for new license applications.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
17 1 So, I will have some observations along 2 those lines, I'm just giving you a hint as we go 3 through this. You've probably heard me say this 400 4 million times now over the last periods of time.
5 And if I look at the new Reg Guide as you 6 all have proposed it, and I happen to have that open 7 also, the applicability paragraph says the same thing 8 only in much shorter words.
9 It deletes a bunch of other type stuff and 10 I will be making the observation or the suggestion I 11 hope when we finally finish this all up that we need 12 to, and as a result of our letter to Chairman as well 13 in terms of trying to get agreements from everybody.
14 And EDO's response where it was mentioned 15 that we would be receiving 5.71 and 1.152 and 7-19 to 16 make it more easily utilized under those 17 circumstances.
18 And so I will probably be proposing 19 something along the line that the methods used 20 described in this reg guide may be used during design 21 certification phase for new applications to ensure 22 control of access, which is what it is for safety 23 systems.
24 Because they don't have any cyber software 25 in them. They cannot have virus protection software, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
18 1 it would compromise their normal operations. So, it's 2 really control of access, not a cyber issue.
3 And that means we really need to pay 4 attention to the communications methods.
5 So, I'm just giving you a heads-up, I 6 think this was based on the letters and the responses 7 and the EDO's memo to the Commission that this is an 8 ideal place to make some observations in the 9 applicability that the methods used in here can be 10 used for other purposes.
11 So, I'm just giving you a head-up and a 12 little bit of focus on how we started this 10 years 13 ago, 11 years ago, and how that knowledge of how it 14 needs to be applied needs to be more broadly thought 15 about.
16 So, that's an opening thought process to 17 keep in mind as we go through here, okay?
18 MS. LAWSON-JENKINS: Okay, we will discuss 19 this I'm pretty sure, like you said, multiple times 20 through the document.
21 CHAIR BROWN: There's other items sort of 22 related to that, some are a little more specific, some 23 are a little bit more broad.
24 One of the things I will bring up, and 25 it's important to note this in the beginning so I'll NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
19 1 bring this up as well is prior to computer-based 2 systems, it was all analog, there was no concern about 3 what I call electronic access to systems.
4 It was all physical administrative control 5 of people getting down into the plant, opening up 6 drawers, making set-point changes, fixing stuff, 7 adding new circuits, whatever.
8 When we started using the computer-based 9 systems, those physical security systems don't work.
10 There's no way they will protect you from electronic 11 access.
12 And therefore, the communications from 13 what I call the safety-related stuff like reactor-trip 14 safeguards, control systems for the reactor 15 monitoring.
16 And as the Commission noted in a later 17 SRM, there's a number of the balance of plant systems 18 that are also you call them critical or related to 19 safety-type operations, where they can't have their 20 control functions contaminated by cybersecurity 21 software.
22 So, those become a control of access issue 23 and how you protect those from electronic access, 24 which means you really don't want anybody outside the 25 plan communicating with them.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
20 1 So, that's the focus we've been focusing 2 on. They key is control of access has changed. It 3 used to be physical, now it's electronic and physical.
4 And the electronic needs to be more 5 carefully considered during the design phase and 6 that's what we've been talking about over this period 7 of time.
8 I just wanted to make that differentiation 9 because there's a paragraph in here where I will be 10 flipping the way that paragraph was written to provide 11 some context to it.
12 But I'm not saying anything is right or 13 wrong, I'm just saying that's the real world and 14 trying to make sure the whole program, that's the NRC, 15 the Committee, and anybody else thinks about it in a 16 manner that's consistent with where we were, where we 17 are now, and what means can you use?
18 Because literally safety systems, you 19 cannot put virus software in their operating system.
20 You cannot constantly update it, you will just 21 contaminate it, and you will really set yourself up 22 for vulnerabilities with external access downloading 23 new upgrades.
24 Even if you do it internal to the plant 25 and bring them in, you have to be careful how you do NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
21 1 that, whatever CDs or thumb drives, or however you 2 update the software, you have to be careful you don't 3 introduce problems.
4 So, anyway, that's just a little bit of 5 history and background also in terms of the way I look 6 at it. I did deal with this in my old program in the 7 naval nuclear program for 22 years as we introduce 8 this stuff from 1977 to the year 2000.
9 So, if I sound like I'm hard over, I'm 10 very passionate about that if nobody's figured that 11 out by now.
12 MS. LAWSON-JENKINS: We have a passionate 13 group of people also in the Cybersecurity Branch.
14 CHAIR BROWN: Thank you very much, Kim, 15 for letting me yodle on here.
16 MS. LAWSON-JENKINS: No problem. Let's go 17 to the next slide, Slide 5.
18 I specifically put this picture in the 19 background because whenever I was giving presentations 20 on the cybersecurity program or explaining it, I felt 21 people were focusing very much so on the controls, 22 security controls.
23 If we apply enough security controls we 24 won't get a violation, not really understanding, or at 25 least not clarifying to us as the inspectors, why the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
22 1 controls were applied.
2 And as a computer scientist looking at 3 this and looking at the systems, if you look at the 4 rule, the rule talks about protecting SSEP functions.
5 It does admit critical digital assets, it really 6 doesn't even mention cybersecurity controls.
7 What it says is there must be a plan in 8 the program to protect computer systems and 9 communication systems that perform SSEP functions.
10 That's what the rule says.
11 CHAIR BROWN: Can you clarify? SSEP is 12 safety --
13 MS. LAWSON-JENKINS: Safety important to 14 safety, security and EP.
15 CHAIR BROWN: Emergency planning?
16 MS. LAWSON-JENKINS: Emergency 17 preparedness, sorry.
18 CHAIR BROWN: Thank you.
19 MS. LAWSON-JENKINS: So, it is safety but 20 also important to safety and we're going to see that 21 a little bit later on in one of the slides. Both the 22 NEI document but definitely Reg Guide 571, which we 23 generated, mentions critical digital assets.
24 So, these are the assets in there systems 25 that affect SSEP functions. The licensees can NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
23 1 implement their plans apply security controls to the 2 critical digital assets, I'm going to call them CDAs 3 now so I won't repeat the name.
4 The apply the controls to the CDAs but to 5 do that effectively, it was clear that they needed to 6 acknowledge the attack surfaces and attack pathways.
7 And you've alluded to this, you alluded to this in 8 your discussion on the last slide.
9 You must understand access control, you 10 must understand how an attacker might try to get into 11 your system and try to gain access to some of these 12 devices. So, this revision of the guidance discusses 13 attack surfaces, attack pathways more.
14 I think we had the term pathway in there 15 but not really the term attack pathways. We never 16 talked about attack surfaces, which you have to 17 understand when you're look at vulnerability updates 18 and things like that.
19 So, this yellow circle where it says 20 acknowledge of attack surface and pathways, that's a 21 clarification we added to be able to apply security 22 controls effectively you must have this information or 23 must understand this information.
24 And we also emphasize continuous 25 monitoring of your plan to make sure that the security NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
24 1 controls were implemented effectively and that they 2 stay effective throughout the lifecycle of the plant.
3 You don't just apply them at the beginning 4 and not look at them again. They have to stay intact 5 and that is also mentioned in the rule. So, this is 6 the big picture.
7 It's just not applying cybersecurity 8 controls and saying we've done it, we have a plan.
9 We have to continually monitor it and look 10 at the effectiveness of those things. Is there any 11 question about this? Member Brown, you said we were 12 going to keep talking about certain things with access 13 control.
14 We're going to keep drilling back to this 15 knowledge of the attack surface and pathways that 16 we're continuously monitoring to make sure we see the 17 controls that we did apply are effective in the plant.
18 Next slide, Brian. I'm going to speak 19 briefly about the Milestone 1 through 7 inspections 20 because they are really critical.
21 They were a great foundation on how to 22 implement a cybersecurity plan in the cybersecurity 23 program, which is pretty complicated.
24 There's a lot of information and a lot of 25 data that has to be gathered and controls that have to NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
25 1 be implemented to implement a plan.
2 So, the milestone inspections and the 3 implementation of the milestones was a wonderful first 4 step because they focused on the most critical things.
5 Number one, there was the establishment of 6 a cybersecurity assessment team, which is a cross-7 functional across the main team that will be 8 responsible for establishing the program, implementing 9 the program, and making sure the program remains 10 effective.
11 Milestone 2 was to identify all critical 12 digital assets in the plant in the facility.
13 Milestone 3 was to implement a one-way 14 deterministic device that would protect the safety, 15 important to safety and security CDAs from plant 16 equipment that was not in the program or that was in 17 a lower security level than the security safety and 18 important to safety equipment.
19 That one-way deterministic device protects 20 the equipment against unauthorized access from wired 21 communication. You can only send the information in 22 one direction from behind the data diode to a lower 23 security level.
24 You cannot use wired communication to send 25 information to the devices that protect behind the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
26 1 data diode. That is the point of that control, that 2 milestone, and it's very important for protection to 3 prevent cybersecurity attack using wired 4 communication.
5 And I'm stressing that wired communication 6 part.
7 CHAIR BROWN: I agree with you, actually, 8 and there's and interesting change you all made to the 9 bullets underneath the defensive architecture figure.
10 I think it's now Figure 5 or 6, I don't remember 11 which, where I will bring your point that you just 12 said.
13 I will kind of emphasize that and how that 14 seems to be being compromised. We're going to have a 15 little discussion on that at some appropriate point 16 here, I'm not exactly sure where it is yet.
17 MS. LAWSON-JENKINS: We'll be coming to it 18 because we talk about the defensive architecture a few 19 slides ahead.
20 CHAIR BROWN: I think I remember seeing 21 that when I reviewed the slides. One other comment on 22 the one-way deterministic, there's always an argument 23 about what that means.
24 In the world I came from before, that 25 meant literally a one-way hardware-based optical NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
27 1 coupler-type transmission device from a safety system 2 to some other system and couldn't be reconfigured by 3 software.
4 You really literally had to go into the 5 equipment and take it out. Obviously, the data that's 6 just going through the device has all the software 7 because you've got to send fields through it, data 8 streams.
9 But the device itself only went one way, 10 could not be reversed by somebody tweaking some 11 software command, kind of like your laptops and 12 everything else.
13 The reason you have bi-directional 14 communication in our laptops, personal computers, and 15 you have what they call deny but accept with 16 exceptions.
17 In other words, you generally deny bad 18 stuff but you allow good stuff to come in. And 19 there's a software feature that allows that good stuff 20 to come in while it's trying to prevent the bad stuff 21 from getting in.
22 That's your virus protection on your 23 laptop. So, it's bi-directional is what I'm saying 24 and we see that every day. I don't look as a one way, 25 those are literally one way and cannot be reversed NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
28 1 except by taking out the component and putting in a 2 bi-directional component.
3 And if you have bi-directional, which is 4 software-controlled, that means there are some type of 5 command structures if you use that bi-directional to 6 make it one way. There's a command structure that 7 says it's only going to function with one of the 8 functions.
9 So, we've got to be very careful how we 10 talk about it. Deterministic to me is very 11 deterministic, is my only point. It's a hardware base 12 in only one direction, not configured by software.
13 MS. LAWSON-JENKINS: For a security 14 control in the reg guide that's a security control 15 B.1.4, which is information flow control. And in that 16 one, it says that to implement true one way 17 communication, that you have to have a hardware base.
18 It cannot be software.
19 CHAIR BROWN: It's buried in an Appendix.
20 MS. LAWSON-JENKINS: No, that's the 21 security control. When we write violations, it's 22 usually because --
23 CHAIR BROWN: I'm sorry, I'm interrupting 24 only because it's in the appendix but it's not 25 adequately reflected up in the rest of text, up in the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
29 1 beginning parts where all the positions are or the 2 guidance is located.
3 It's not emphasized as much, it is after 4 the architecture but then there's some other 5 exceptions written. deterministic is deterministic is 6 all I'm trying to say.
7 Safety systems, when we send data out, it 8 should be one-way, hardware-based, not configured by 9 software and that's a design issue because there's no 10 cybersecurity in those systems, there's no virus 11 software.
12 It's under the contacts and that's why 13 we've been talking about using these methods for 14 allowing these methods to be discussed during the 15 design certification for new applications.
16 (Simultaneous speaking.)
17 MS. LAWSON-JENKINS: This is really 18 important for me to clarify. The Staff position in 19 the regulatory guide is very important because it 20 explains why the plan does certain things, why the 21 program should do certain things.
22 It's very important. But what the 23 licensees actually implement is Appendix A, B, and C, 24 that is what they implement.
25 So, while the guidance up front is very NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
30 1 important for clarity and to understand why things 2 should be done, what they are actually implementing is 3 the template that's in Appendix A and the security 4 controls that are in Appendix B and C.
5 So, that's really important. I'm not 6 dismissing any of the front matter because we want it 7 to be right, we want it to be correct, and be 8 accurate, but what the licensing actually implements 9 is what they have in Appendix A, B, and C.
10 CHAIR BROWN: I'm familiar with B.1.4.
11 That's the only really --
12 (Simultaneous speaking.)
13 MS. LAWSON-JENKINS: -- one of the best.
14 CHAIR BROWN: It's the only one that's 15 worthwhile. I'm trying to not be negative.
16 MS. LAWSON-JENKINS: I understand, I do.
17 CHAIR BROWN: It's very, very clear. I'll 18 let you go on now. Some of this is not only for you 19 all but it's also for me to express it and also for 20 our members to hear it.
21 MS. LAWSON-JENKINS: I appreciate the 22 dialog, I'm not being facetious, I really do because 23 every time we discuss and explain this, we make the 24 process better.
25 We try to clear up any misconceptions.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
31 1 Now we're getting ready for Milestone 4. Because 2 Milestone 3 addressed hopefully why this couldn't be 3 the case but at least is for us preventing a cyber 4 attack, Milestone 4 is going to do hopefully the same 5 thing for portable media and mobile devices.
6 They have to have some access control for 7 those devices so those SSEP functions are protected 8 MEMBER HALNON: Kim, this is Greg Halnon, 9 quick question on that. Back in about spring or so of 10 2018 there was a big industry issue with the 11 monitoring of the kiosks.
12 Could you explain what the problem or 13 issue was and how it was resolved?
14 MS. LAWSON-JENKINS: That was actually an 15 issue I had so that's why I can appreciate Member 16 Brown because everyone has some things they think are 17 really important and I thought the kiosk was really 18 important.
19 If you look at the reg guide, it doesn't 20 say how the licensee should do this, it just says what 21 they should do.
22 Industry decided on the solution that they 23 would have a kiosk that would be used to scan the 24 portable media and that would verify no virus issue 25 would be introducing any kind of new attack pathway.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
32 1 You make sure that whatever you're 2 uploading is free of known malware and that's fine, 3 and that's what we wanted to do, that's what it should 4 do. The issue was the industry didn't want to label 5 that diversity as stated compensatory damages, a 6 critical digital asset.
7 MEMBER HALNON: The kiosk itself?
8 MS. LAWSON-JENKINS: The kiosk itself. At 9 the end of the day, as an attacker, an attacker really 10 doesn't care what a device is labeled as.
11 For safety procedures and working at 12 nuclear power-plant procedures are very important 13 because you want things to be done consistently and 14 correctly all the time.
15 And the same for the humans, we have 16 labels so we can do things consistently well all the 17 time. But the attacker doesn't care, they only care 18 what the function that's being performed on that 19 device and how they can take advantage of the 20 weaknesses.
21 So, that was one issue I had, whether you 22 call it CDA or not. It doesn't matter, it's what it 23 is, what it does that matters.
24 The other issue is they implemented a 25 defensive architecture which we'll go into a bit NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
33 1 later, where you have the different security levels.
2 We implemented the one-way deterministic 3 device to protect Level 3 and 4 from the rest of the 4 network and other security levels.
5 If you have one device where you're 6 putting portable media into it and it touches all the 7 security levels, you have basically negated the 8 protection that you did for Milestone 3.
9 So, you have to have a way of -- and the 10 other thing is that there are two ways you can put a 11 security control on a CDA or you can apply a security 12 control to a CDA.
13 Even the device itself, you can put the 14 control on it, you have to log in to access the CDA 15 and it will track whatever you do on the CDA. The 16 protection is actually on the CDA.
17 Are you going to apply this protection to 18 something in the environment where the CDA operates?
19 In this case it was the kiosk and the CDA is going to 20 inherit the protection from the kiosk.
21 So, that can secure the control for 22 portable media access that would apply to the CDA, 23 you're going to say, okay, it doesn't have it really 24 on that device but it's inherent from the kiosk that's 25 operating in the environment.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
34 1 And the point that eventually the NRC made 2 clear to industry and we agree on in the public 3 meeting is that a CDA cannot inherit protection from 4 a device that's protected to a lesser extent than the 5 CDA itself.
6 That doesn't make sense. So, they agreed 7 that if you're going to inherit protection from a 8 device, that device has to be protected at the same or 9 greater level.
10 MEMBER HALNON: Is that concept now in the 11 NEI documents that govern what the industry is doing?
12 MS. LAWSON-JENKINS: There hasn't been a 13 formal update to NEI 8 or 9. I know in some of the 14 addendums there are some word to that effect, 15 especially when it comes to the portable media.
16 MEMBER HALNON: Its seems like it's a 17 pretty important point, that you just said very 18 eloquently and clear should probably be in the same 19 way very eloquent and clear in the documents so we 20 don't have to have another public meeting to explain 21 that to the next generation of cyber folks.
22 MS. LAWSON-JENKINS: You can inherit the 23 protection. In fact, a lot of the examples where we 24 would explain things, actually, the kiosks in the way 25 they got better as we were expecting them.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
35 1 Because like I said, they were providing 2 protection for the CDAs and we said, okay, if you 3 don't put these protections on the CDA, you must have 4 it on that device, where you get the protections from.
5 MEMBER HALNON: I get it, I appreciate 6 that, thank you so much.
7 MS. LAWSON-JENKINS: Okay.
8 MEMBER KIRCHNER: Kim, this is Walt 9 Kirchner, can I just follow on to Greg?
10 So, does that mean the portable test 11 devices or something that's brought in to update a 12 critical digital asset actually has to be handled in 13 cybersecurity space at the same level or above the 14 piece of equipment that's being updated?
15 MS. LAWSON-JENKINS: Yes, that's with 16 anything that touches that CDA.
17 CHAIR BROWN: Can I amplify Kim a little 18 bit? I totally agree with her.
19 In this world, Walt, do you remember back 20 in the analog world when you went to realign a set of 21 equipment you had specific test equipment that was 22 calibrated and check and tested before you brought it 23 in to do it.
24 These days, if you're going to bring in a 25 laptop or some other device to update your system, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
36 1 download new software or a change to the software in 2 the operating system or change set-points if that was 3 necessary, that laptop now becomes, quote, a piece of 4 very special test equipment.
5 And it has to be protected and not, in my 6 opinion, when we use those laptops when we started 7 downloading, initially we used to take out the 8 programmable read-only memories, put a whole new one 9 in.
10 We didn't have to worry about downloading 11 anything. We did it at the factory, we could observe 12 everything, very close controls on every bit of the 13 software so we just replaced the PROM.
14 But later, we now had e-squared PROMs and 15 we could now not have to go through the manufacturing 16 process. And we found that if we were going to 17 download new stuff using a laptop if we were going to 18 do that, we had to consider that a prime piece of 19 equipment.
20 And it had no other applications on it.
21 There was nothing fuzzy in it, it could do nothing 22 except transfer data for the specific stuff we put 23 into it. It had no other functions allowed to be part 24 of it.
25 It did nothing else, it was totally NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
37 1 protected, just as Kim commented on. You've got to 2 put it in a cocoon and protect it to make sure it has 3 no connection to the outside world ever.
4 MEMBER KIRCHNER: That's where I was 5 going, Charlie, but is that actually what is the 6 practice in the field? Because the temptation --
7 (Simultaneous speaking.)
8 CHAIR BROWN: I don't know for industry.
9 MEMBER KIRCHNER: The temptation to take 10 a multi application piece of equipment in that could 11 do multiple functions or upgrades of safety equipment 12 is tempting, right?
13 So, how do you make sure that piece of 14 portable or test device is clean absolutely, like you 15 described it, Charlie, where you had a piece of 16 equipment that had only one function.
17 It's different with an actual laptop. You 18 can bring a lot of stuff with you. And so, Kim, is it 19 required through your reg guide that such a laptop or 20 other device is thoroughly scanned before it goes 21 through access control?
22 You are ensuring that piece of test 23 equipment or laptop or whatever device it is is 24 thoroughly scanned for malware and any other problem?
25 MS. LAWSON-JENKINS: During inspections we NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
38 1 look at things that have to do with the portable media 2 and mobile device program. So, we've inspected the 3 procedures being used.
4 For instance, we look at how the equipment 5 is labeled and whether the equipment is used on a 6 certain security level and how they keep track of 7 those things.
8 And the procedures when they check out 9 equipment and when they put it back in and any kind of 10 sanitizing.
11 They have processes for this, they know we 12 are looking at this all the time. And in the end, if 13 they have a defensive architecture, they have to have 14 processes and procedures and technology that will 15 support that architecture.
16 So, we have seen this on inspections and 17 we've seen effective implementations and sometimes 18 we've seen violations. Every year we look at all the 19 different violations that we've seen, we bend them 20 together, see if there's been progress over the years.
21 I can definitely say in the portable media 22 and mobile devices, it has come a long way since 2013.
23 There are not nearly as many, if any, violations in 24 that area because we have gotten much better at it.
25 So, we don't basically say how to do this NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
39 1 but we do look at the procedures to make sure however 2 they are using and implementing their programs, it 3 does not violate the security architecture they put in 4 place and validate the protections they did for the 5 higher security levels.
6 MEMBER KIRCHNER: I guess my big concern 7 here, my history is dated, I'm from the analog world.
8 But when I look at the potential to bring in equipment 9 that could contain malware, would all these devices be 10 scanned first at access control?
11 And then what's the standard you scan to?
12 This is an evolving threat and there are a lot of 13 malware programs out there. Is there any standard 14 that you apply?
15 It's one thing to have procedures, I agree 16 wholeheartedly with what you're saying, how do you 17 keep the malware protection up to date?
18 MS. LAWSON-JENKINS: Usually, there are 19 different scanning engine that are used for the virus, 20 when you're looking for the viruses. We're talking 21 only about known viruses now.
22 MEMBER KIRCHNER: Of course.
23 MS. LAWSON-JENKINS: So, there are 24 different scanning engines to use so usually, at least 25 the kiosk that we've inspected used multiple scanning NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
40 1 engines because then you could get different types of 2 malware, one that may be better as certain types of 3 malware than others.
4 So, there are usually multiple scanning 5 engines. Just keep in mind, they have a maintenance 6 rule.
7 There's programs they have from some of 8 their other portable media and they take credit for a 9 lot of that but they still have to comply with what 10 we've implemented for cybersecurity.
11 Because there was a maintenance rule and 12 a maintenance program in effect, like you said, for 13 safety. So, there is some credit taken for that but 14 as far as scanning and things like that, like I said, 15 we look at their procedures.
16 When we've seen that the scanning we think 17 might be insufficient there will be observations, 18 warning, whatever, about that. And like I say, right 19 now their programs are effective.
20 I think that is really I would say one of 21 the positive things that have come out of the program.
22 Because like I said, we didn't tell them how to do 23 this, we didn't tell them how to do Milestone 4 and 24 there was a lot of discussion and back and forth.
25 Now we're starting to move to different NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
41 1 areas as we get to Milestone 7 of how you keep a 2 program going and make sure the controls were 3 effective. That's where we get more into the 4 vulnerability updates.
5 So, in a way, I won't say it's a moving 6 target but the focus changes at certain points and 7 it's going to do that for any program over the 8 lifetime of it, especially when you get new threats, 9 new attack pathways, new things like that.
10 So, it's a moving target, we're always 11 trying to stay ahead. And the things that were 12 implemented in Milestone 1 through 7 really did a lot 13 to make the programs effective.
14 There was work to get them to where they 15 are today but this was a great foundation and I can't 16 say that enough, as someone who came in after this was 17 all decided.
18 MEMBER KIRCHNER: You can't see me on 19 video. I'm shaking my head saying yes so thank you 20 for your response.
21 MS. LAWSON-JENKINS: Obvious signs of 22 tampering, that's Milestone 5. That's for the 23 physical attack pathways, there are five attack 24 pathways and we are going to discuss three of them 25 here.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
42 1 It's the wired pathway, the portable media 2 and mobile devices, and physical access. Milestone 5 3 helps with physical access a little bit, seeing what's 4 being done with the equipment to see whether or not 5 you have unauthorized equipment attached to a CDA.
6 Someone shouldn't be powering up their 7 mobile phone using a computer. I admit it hasn't 8 happened but that's my point.
9 When the guards were doing walk-arounds 10 looking at things, or even employees, they would see 11 and make sure that nothing other than work equipment 12 should be attached to CDAs.
13 Milestone 6 was getting a subset of CDAs 14 identified in Milestone 2, and applying security 15 controls. So, this was to start looking at the 16 methodology that was being used to apply security 17 controls to CDAs.
18 And in Milestone 7, once those controls 19 were applied, then you just don't apply them and 20 forget about them. You have to monitor and make sure 21 they're still effective and are operating correctly 22 and doing what you expect them to do.
23 So, this was the foundation that we built 24 on it and like I said, I think the industry and the 25 NRC has really done well in this.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
43 1 MEMBER KIRCHNER: Kim, this is Walt 2 Kirchner again, I don't have up to date experience in 3 the plant like Greg does. In practice, is there a 4 more restricted access?
5 Does this imply more restricted physical 6 access to things like reactor protection system and 7 such? Is that what you mean by physical security 8 controls or a higher level of digital --
9 MS. LAWSON-JENKINS: It depends but 10 unfortunately, with security it depends. The 11 licensees have leveraged very much two things in their 12 program, the physical security if they're being used.
13 So, a lot of the physical and digital 14 assets are located in protected and vital areas so 15 they're going to leverage that. And obviously, the 16 wired communication that this equipment is protected 17 by a data diode.
18 So, I think what you're getting into then 19 is more of a safety security interface question. How 20 many technical controls are you really going to apply 21 on the devices located in the most protected area?
22 And that will vary.
23 MEMBER HALNON: Walt, I think the answer 24 to your question is yes and the physical controls.
25 Since this was...I hesitate to use the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
44 1 word backfit but a lot of things were looked at that 2 were outside protected areas and the items that were 3 in the past able to be accessed or physically in the 4 general vicinity of people.
5 It's much like the FERP controls where you 6 have separation of duties and you have separation of 7 now physical access to certain rooms and other things 8 like that. So, there are some of both put in place.
9 MS. LAWSON-JENKINS: A lot of the 10 equipment we're talking about when we see the 11 protected area, they are on Level 3 and 4 behind the 12 data diode and those are dedicated computers.
13 Obviously, they're not talking to anything 14 on lower levels and we'll be coming up to some more 15 information but a lot of CDAs, including BOP are 16 protected on Level 3 and 4 also.
17 MEMBER KIRCHNER: This has implications 18 for -- your colleagues are working on 10 CFR 53 19 rulemaking and to do what Milestone 6 is implying as 20 well as Number 3 in particular, it seems to me if you 21 can do a lot of that by design upfront, like Greg 22 said, with the existing plants, you're in a situation 23 where, I'll use it, quote, unquote, a backfit kind of 24 might be necessary to restrict physical access, et 25 cetera, et cetera to those the most important critical NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
45 1 digital assets.
2 But going forward, it would seem to me 3 that when one starts laying out the architecture for 4 the INC and the plant, both in terms of electronics if 5 that's the right word and physical space locations, 6 then one can be I think much more effective in 7 marrying the digital cybersecurity to the physical 8 cybersecurity to implement this much more efficiently 9 and effectively.
10 Do you see where I'm going? Just by a 11 layout of plant, the back cabinets so to speak, where 12 they are, who has access, how you do that, how you 13 design the system it would seem.
14 CHAIR BROWN: Walt, let me provide an 15 example of what we're talking about. Kim, one of the 16 recent things we've looked at, reviews we did, that 17 had the reactor protection, the safeguards, and that 18 data was sent out.
19 We forced a one-way deterministic device 20 that took some time to get people to agree, and then 21 it went to a network. That network was connected to 22 the outside world.
23 We insisted that there was an in-plant 24 network that then went to an out-of-plant network. We 25 insisted that in-plant network that received the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
46 1 reactor protection and safeguards data and other data 2 from other safety systems, its output had to be one 3 way only.
4 It was in plant so that you had two 5 barriers to the outside world. The initial, the in-6 plant network had a bi-directional software-7 controlled-type data transmission device.
8 And the Applicant eventually agreed to 9 make that unit directional from the in-plant to the 10 out-of-plant.
11 That's what we're talking about, that's a 12 design issue but there's no virus protection systems, 13 there's no software that you put in the systems, it's 14 just literally a hard no door is allowed.
15 You're not allowed anybody in. You still 16 have the physical access, people want to make changes 17 when they walk into the plant. That's a physical 18 thing, back to where we were 20 years ago.
19 So, that's what we've been trying to focus 20 on and concentrate on to simplify and ensure the 21 software systems don't run the risk of being connected 22 to something, either a lower safety system or 23 something that goes out external to the plant that 24 they can't be backfit, malware or other types of 25 problems.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
47 1 That's why we've been insisting on 2 literally one-way hardware based non-software 3 controlled deterministic, lots of words, I love those 4 words, data transmission devices.
5 And you can't come back through it the 6 reverse direction no matter what you do.
7 MS. LAWSON-JENKINS: And on the screen 8 now, Brian, advance to Slide 7 and that's what you see 9 right now between Level 2 and 3. All the CDAs that 10 have to do with safety, important to safety, security, 11 are located on Level 3 or 4.
12 So, they have protected behind the data 13 diode for wire connections.
14 MEMBER KIRCHNER: I like that but then if 15 you look over from Level 4 to Level 3, that network 16 could have been a Level 3 and you show a firewall.
17 And a firewall is a bi-directional software-controlled 18 data transmission device.
19 MS. LAWSON-JENKINS: That is true.
20 MEMBER KIRCHNER: So, that little white 21 arrow becomes meaningless if you've got a firewall 22 that's your main protection for it.
23 MS. LAWSON-JENKINS: It is not as strong, 24 I will absolutely agree, up to a point, because it is 25 possible to have a data diode inside of that device.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
48 1 MEMBER KIRCHNER: You can? You could have 2 done that but --
3 (Simultaneous speaking.)
4 MS. LAWSON-JENKINS: -- solutions, we do 5 that in DoD because I worked on those.
6 MEMBER KIRCHNER: But you don't want that 7 data diode to be able to be cut out because somebody 8 wants to come in and do something for their own 9 convenience.
10 MS. LAWSON-JENKINS: I understand and I 11 agree but you have to understand, this is why I want 12 to make the point about the data diode. One reason 13 why it's a great device is it's very simple.
14 It's very easy to see it's doing what it's 15 supposed to do. It protects for wired connection.
16 With defense in-depth we have to do more than just 17 prevent. There's no detect for instance, no detection 18 function with a data diode.
19 It won't tell us that someone was trying 20 to attack the network. There's no recovery detection, 21 it's just preventative.
22 What that firewall will be doing is also 23 monitoring communications and it could be looking for 24 things, it could be detecting things that shouldn't be 25 happening.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
49 1 So, not alone but the firewall with the 2 data diode is used to provide the defense in-depth.
3 CHAIR BROWN: Let me ask on the firewall 4 then. You're describing a firewall which is not a 5 data transmission device but a monitoring device 6 that's sitting there to tell the operators somebody is 7 trying to get in somewhere?
8 (Simultaneous speaking.)
9 CHAIR BROWN: But the problem with that is 10 can now somebody come in from the outside via that and 11 contaminate that network which is literally sending 12 its data through via one-way deterministic devices?
13 You now have a connection to the outside 14 world, effectively, and that's one of my concerns. I 15 understand your monitoring point but when you do that 16 monitoring function, it should have no connection to 17 the outside world.
18 It should be an inside the network 19 monitoring function and not connect outside the plant.
20 It should connect inside the plant what's going on, 21 not outside the plant.
22 MS. LAWSON-JENKINS: What connection to 23 the outside world are we referring to?
24 CHAIR BROWN: An Internet connection.
25 MS. LAWSON-JENKINS: There is no Internet NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
50 1 connection there to the outside world.
2 CHAIR BROWN: Theoretically, you talk 3 about a firewall, that firewall is monitoring 4 something.
5 MS. LAWSON-JENKINS: It's moderating the 6 communication between Level 3 and 4.
7 CHAIR BROWN: Who is it talking to?
8 MS. LAWSON-JENKINS: It will be pushing 9 whatever it sees down from Level 4 to Level 3, and 10 then from Level 3 to Level 2.
11 CHAIR BROWN: Who's going to be receiving 12 that information to know there's something going on?
13 MS. LAWSON-JENKINS: Probably someone 14 outside on the lower side of the firewall.
15 Information is pushed out from Level 4 to Level 3, 16 from Level 3 to Level 2, and then it's sent out.
17 CHAIR BROWN: So, it can't get out at 18 Level 3 is what you're saying based on those diodes 19 and the arrows?
20 MS. LAWSON-JENKINS: It does get out.
21 There's no communication --
22 CHAIR BROWN: I'm sorry, I meant one way.
23 That's not a bidirectional signal from Level 3 to 2?
24 MS. LAWSON-JENKINS: No.
25 CHAIR BROWN: Let me ask, I see this nifty NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
51 1 little diagram with your firewalls and data. When I 2 look in the Reg Guide, that picture is not in there, 3 it's nothing but white arrows.
4 MS. LAWSON-JENKINS: -- in all these 5 diagrams. Because I knew this discussion we're going 6 to focus on information flow control and access, I put 7 this diagram. Even the one in the reg guide is a 8 notional diagram.
9 CHAIR BROWN: I understand that but it's 10 not as definitive. If I look at the reg guide I don't 11 see fire walls. The appendices talk about firewalls 12 but they don't relate the firewalls to this 13 architecture.
14 Do you understand what I'm saying?
15 MS. LAWSON-JENKINS: The appendices talk 16 about the controls or things that we expect boundary 17 devices to do and one of the things we expect boundary 18 devices to do is to monitor communications and to 19 possibly enforce the communication rules that we have 20 within the levels and across the levels.
21 So, that's why I said a boundary device.
22 So, as I said, the data diode does one function, it 23 prevents communication going to a higher security 24 level but that's all it does.
25 Boundary devices have to do more than just NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
52 1 that, which is why firewalls are also used, in 2 conjunction with the correct placement of a data 3 diode. It would not be an adequate implementation to 4 have only firewalls.
5 CHAIR BROWN: I understand your point on 6 that. My concern is the firewall is there and can it 7 get into the input side of the data diode such as that 8 it now has access to the reactor protection system?
9 MS. LAWSON-JENKINS: All it can do is push 10 information down from Level 3 to Level 2 or Level 4 to 11 Level 3. That's like saying the data diode is very 12 simple.
13 CHAIR BROWN: I got that on the data diode 14 but the firewall is monitoring and it's monitoring 15 everything in there, including the input side of the 16 data diode. Anything that comes in, if it's 17 monitoring, that means it's got access.
18 Can I go backwards back to the reactor 19 protection system?
20 MS. LAWSON-JENKINS: The firewall, whether 21 it's implemented as the data diode or not, is going to 22 have to be part of the defensive architecture. I 23 always say the things that are Level 4 are inheriting 24 the protection of the data diode that's sitting on 25 Level 3 and 2.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
53 1 CHAIR BROWN: I may not be making myself 2 -- the reactor protection system, and I'm sorry to 3 belabor this, I just need to understand what you're 4 talking about. It's a good conversation, I appreciate 5 it.
6 I'm just looking right now at one of our 7 other plants. We were sending data out, the data 8 diode was right out of the RPS, the next one had a 9 data diode, sending it some place outside the plant.
10 And now we're talking about somewhere in 11 there, I don't know which side in the reactor 12 protection system, there will not be a firewall 13 looking at the input side of that data diode, coming 14 out of the RPS.
15 There was nothing in the design that said 16 that. But when I get to the network, you've got a lot 17 of stuff in the network.
18 And so I understand the notion from 4 to 19 3, going from you've got other stuff coming through 20 and you've got something to monitor what's in that 21 network.
22 Is somebody trying to get into it even 23 though its only communication outwards is via a data 24 diode to Level 2? So, that firewall has to be 25 monitoring what's in all the memory, what's operating NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
54 1 and everything else, which is on the input side of 2 data diodes.
3 And if it's on the input side, it can go 4 backwards into the rest of the systems that are 5 feeding everything.
6 So, if the firewall had some contamination 7 in it, corruption or malware, you then end up getting 8 something transmitted back into the reactor protection 9 system.
10 I'm all for monitoring but monitoring can 11 be a double-edged sword.
12 MS. LAWSON-JENKINS: Anything you do, and 13 I will agree with that, anytime you do anything, 14 there's always a chance that someone can misuse it.
15 We see that in security all the time, when 16 you put in the protective mechanism, whether it's 17 downloading new software or whatever, and the attacker 18 misuses that for their own purpose and will attack.
19 But that is why we've always been very 20 stringent, as we said for the kiosk, for certain 21 devices, this is an important point, where it's 22 protecting multiple devices, you're going to have to 23 protect that device at a high level.
24 So, that firewall has to have some self-25 protection mechanism to say something is going wrong, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
55 1 I'm not working, something's not right. And then 2 that's when some other mechanisms will kick in.
3 I absolutely agree with that anything we 4 have a high-level 3 and 4, it in itself may be a 5 problem but that's why those protective devices, those 6 devices that are applying protections to the 7 environment where the CDAs are operating, they 8 themselves must be protected.
9 Like I said, this has been a mantra with 10 us for quite a while.
11 CHAIR BROWN: I was interested in this 12 because I was reading when I read Appendix B122, use 13 of external systems, where you have one-way 14 deterministic stuff specified, and the words are 15 fairly clear.
16 I didn't have any problem with this so I'm 17 not going to be giving you any suggestions. Because 18 it says ensuring external systems cannot be accessed 19 from CDAs located behind a one-way deterministic 20 device.
21 MS. LAWSON-JENKINS: That's Level 3 and 4?
22 CHAIR BROWN: Yes, they're behind it.
23 MS. LAWSON-JENKINS: But it goes on to 24 say, any manner that would result in a bypass that 25 enables communications from lower to higher levels, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
56 1 which is key. I'd love to be 122, I'd love to be 14, 2 and C7 is also pretty clear.
3 Although a bunch of the appendices are 4 littered with firewall determinations and where those 5 get applied is interesting.
6 Because you don't see those during the 7 design phase when you're just showing how the data get 8 transmmitted from a reactor protection system to the 9 outside world, through a network or not through a 10 network.
11 It should be a one-way device and then you 12 see the firewall thought process and say, hold it, is 13 that going to impact? Can that now go backwards?
14 MS. LAWSON-JENKINS: For cybersecurity 15 there is no way of getting around implementing defense 16 in-depth. It is crucial that we can detect, respond 17 to, and cover from cyber attacks.
18 And we cannot just rely on prevention 19 because we have seen over the years in this last 20 decade, and even further in cybersecurity, your 21 protections can be circumvented.
22 I'm just making this general statement.
23 You can have data diodes, you can place them in the 24 architecture, and if you don't know all the 25 communication pathways, that defense will be NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
57 1 circumvented.
2 CHAIR BROWN: I don't disagree with that.
3 That's a terrible double negative, I'm sorry. I've 4 got to reprogram my English courses from sophomore 5 year in high school.
6 When we do a review on the design side for 7 an Applicant, we get a very detailed one-line 8 functional diagram showing all communication paths as 9 well as showing that you maintain independence along 10 with the redundancy.
11 Control of access is a major issue for us 12 during our new application or new license application, 13 new plant design application.
14 And if you look at the way it's shown, we 15 have data leaving the reactor protection system via a 16 couple of paths, both of them going through 17 deterministic one-way hardware-based diodes.
18 We insisted on that and that goes out to 19 the main control room and every place else, as well as 20 they can go to your technical support center and can 21 go to your emergency preparedness or emergency support 22 center, whatever they're called, so people know what's 23 going on data-wise.
24 That is a device, it's right in the bottom 25 of the cabinet, if you want to call it that, or it's NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
58 1 on the circuit card with the computer operating 2 system, the computer platform.
3 So, that is the pathway so I'm happy with 4 that pathway but people keep telling us we can't talk 5 about that in the design phase. That's just wrong and 6 that's what we're trying to alleviate, is people 7 telling us we can't ask that question.
8 And if we ask the question and they say 9 something we're not going to make a regulatory 10 determination on it.
11 And that's disturbing because you can't do 12 anything else in the safety systems with any other 13 type of virus protection the way you do in all the 14 other systems, what I call normal use systems.
15 Administrative, business, recordkeeping, 16 maintenance, training, et cetera. And the one-way 17 device coming out of the RPS should not have a 18 firewall sitting with it because it's only one wired 19 connection going one way.
20 I understand the concern but the only way 21 you're going to get bad stuff in is if you bring it in 22 via somebody changing the software. And that's a case 23 where you have to make sure you've got clean software 24 that you plug in.
25 You can't vet anything in the system to NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
59 1 try to say it's not because you don't know.
2 MS. LAWSON-JENKINS: Right now, the way 3 the systems are made, we have multiple CDAs on Level 4 3 and 4.
5 CHAIR BROWN: I'm just talking about 1.
6 MS. LAWSON-JENKINS: I understand that, I 7 do.
8 CHAIR BROWN: -- control, there's all 9 kinds of CDAs, if you want to call them that.
10 MS. LAWSON-JENKINS: Exactly, and they 11 should be monitored and seen if appropriate 12 information is going to cross there because there is 13 as a computer scientist there is no perfect software.
14 There is no software that you install once 15 and you don't ever have to touch it again.
16 CHAIR BROWN: We are in great mind meld 17 relative to that.
18 (Simultaneous speaking.)
19 CHAIR BROWN: -- brains and we will be 20 working just fine.
21 MS. LAWSON-JENKINS: So, obviously, we're 22 doing risk-informed security so you want to minimize 23 the risk on this. So, we have to have defense 24 in-depth, like I keep saying, where we have to monitor 25 --
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
60 1 I'd rather get to this later, I don't want 2 to keep jump in around.
3 CHAIR BROWN: That's okay, we'll do that 4 because I would ask you what does it mean 5 risk-informed, we can have a little bit of hiking but 6 not too much. I just filled that out and we'll talk 7 about that later.
8 The point I'm trying to get across is 9 we're trying to ensure the Committee and other folks 10 that are doing the reviews, the NRR Staff, when 11 they're reviewing a new design, can look at these 12 systems.
13 And they can look at them in what's 14 delivered by the vendor, not all of the ancillary 15 stuff throughout the plant, not worthy interfaces, but 16 the data they send out. The access they have in is 17 blocked, prevented.
18 And we can argue about, well, we're still 19 going to have monitor the system, you have to do that 20 via other means.
21 But we still want to make sure there's a 22 one-way deterministic device preventing other external 23 to the plant stuff getting fed back in through 24 networks or whatever because at some point, a couple 25 of levels down, they're connected to the Internet, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
61 1 like in Level 2 or 1.
2 MS. LAWSON-JENKINS: Really, the last 3 point I want to make on this is that safety always 4 trumps security.
5 We would not introduce something, the NRC 6 cybersecurity inspection team, would not allow a safe 7 security requirement to be introduced where we have to 8 monitor that will negatively impact the safety.
9 CHAIR BROWN: I got that, I agree with 10 that and I'm glad you said that, I like that 11 statement.
12 That's not what we've been dealing with, 13 we've been dealing with people saying you can't 14 determine or make a determination that a one-way 15 deterministic device is required for transmitting 16 data.
17 We had a vendor that wanted to do it 18 bidirectional so it could go both ways, right into the 19 protection system. We said no and they eventually 20 caved. But we're told by the Staff they can't make 21 that guidance determination.
22 MS. LAWSON-JENKINS: I'm going to let NRR 23 make that case.
24 CHAIR BROWN: But you're the king here.
25 All I want to do is make sure that when we're NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
62 1 reviewing designs, and I made the comment in our 2 letter, Reg Guide 5.71, we did this 11 years ago.
3 It had very strong protections that were 4 put in there for these types of things but we were 5 told we couldn't use it because it can't be done until 6 the combined operating license standpoint or some time 7 later once all the equipment is designed.
8 It said you've got to be kidding me.
9 MEMBER KIRCHNER: Charlie, this is Walt.
10 May I interrupt a moment?
11 CHAIR BROWN: Absolutely.
12 MEMBER KIRCHNER: I wanted to ask, Kim, 13 what is the set of systems that resides in Level 4 as 14 a result of this reg guide? Is it beyond the reactor 15 protection system to include security protection 16 systems, et cetera?
17 Because I think what Charlie simply is 18 saying is that visually, that one-way data diode 19 between 3 and 2 needs to be switched with the firewall 20 between 4 and 3.
21 CHAIR BROWN: What else resides in Level 22 4? Are there systems beyond those? Because what you 23 said is very important, safety is more important than 24 security in the end. You have to look at that 25 systematically too to see.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
63 1 Security can always have a big impact on 2 safety and consequences. But what systems would 3 reside?
4 Is it not possible to construct an 5 architecture not to make complexity but let me just 6 rhetorically say Level 5 are the core reactor safety 7 system functions that you need to protect, no matter 8 what. And there's the data diode for those systems.
9 You can figure out ways to monitor whether 10 such systems that have been tampered with and such by 11 a physical inspection. And then at the next level, 12 you may have lower important systems.
13 I'm not finding the right words, your 14 security systems and so on, and actually, you would 15 have a double data diode in my mind.
16 But I'm with Charlie that I just can't see 17 how you can risk the reactor protection system, in 18 particular, and all of its subsystems, just so you can 19 monitor it.
20 That opens a door -- this is not my field 21 but to me, in this world we're working in that opens 22 the door to a potential -- it creates a vulnerability 23 for the reactor protection system.
24 MS. LAWSON-JENKINS: Please keep in mind 25 this is a notional diagram. I have seen system NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
64 1 architectures where you have multiple data diodes on 2 Level 3 and 4, depending on how they architected the 3 system, and that is information flow control.
4 So, they determine between whether it's a 5 security system, BOP, important to safety, whatever, 6 or safety system. They can have, and they do, I've 7 seen implementations of multiple data diodes behind 8 Level 3 and 4.
9 So, this is just an example of how to do 10 this.
11 MEMBER KIRCHNER: I totally understand 12 that.
13 MS. LAWSON-JENKINS: So, we look at it on 14 an individual, plant-by-plant basis of how they did 15 that.
16 MEMBER KIRCHNER: But you're thinking 17 operating plants.
18 MS. LAWSON-JENKINS: Yes, I am.
19 MEMBER KIRCHNER: We're thinking new 20 design plants where we have commented and asked to 21 ensure there is a one-way data diode for data 22 transmission out of a reactor protection system, 23 safeguard system, those associated, if they feed the 24 pumps and valves and controllers so that those 25 systems, if they're computer-controlled, can't feed NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
65 1 back.
2 And the data that goes out to the other 3 network and stuff has that one-way diode.
4 If you think about it in the old days in 5 the analog systems, all your data, meter data, switch 6 data, it came out through wires and terminal boards at 7 the bottom of the cabinet, or on connectors.
8 That connector has now been replaced with 9 a one-way data diode or should be, but that in the 10 design phase when we're doing a new design. And right 11 now the reg guide says this only applies for operating 12 reactors.
13 MS. LAWSON-JENKINS: The rule, the 14 cybersecurity rule, applies.
15 CHAIR BROWN: But they're saying, 16 therefore, because the rule only applies to operating 17 reactors, we can't say anything in the design stage.
18 MS. LAWSON-JENKINS: The rule says that 19 you apply the plan and the program when the plant 20 becomes operational.
21 CHAIR BROWN: Exactly.
22 MS. LAWSON-JENKINS: That's what we're 23 following.
24 CHAIR BROWN: We can't backfit a data 25 diode at that stage. You don't go back in and NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
66 1 redesign the equipment when you get five or six or 2 seven years down the pike and you're now about to go 3 operational.
4 MS. LAWSON-JENKINS: I'm not dismissing 5 this because we are going to keep addressing this 6 throughout the discussion by one of them to advance 7 this a bit but to keep responding that the firewall 8 isn't talking to a lower level or Internet past the 9 data diode.
10 And also, for better or worse, this 11 equipment that's located on Level 3 and 4, it probably 12 will need to be updated, once in its lifetime at 13 least. So, you will have to have some mechanism of 14 performing updates.
15 I'm not even talking vulnerability 16 updates. There may be maintenance that you have to do 17 on that equipment and that's why we have to monitor 18 and detect and respond to possible cyber attacks that 19 have somehow bypassed that protection of the data 20 diode.
21 So, that's all we're talking here. I 22 understand the issue about design but I want to make 23 it clear that nothing behind Level 3 and 4 is talking 24 to the Internet.
25 MEMBER PETTI: Can I just ask a NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
67 1 clarification? This is Dave. The firewall shown 2 between 3 and 4 notionally, you have it so that you 3 can monitor. That's an intranet, not an internet?
4 MS. LAWSON-JENKINS: Intra.
5 MEMBER PETTI: I understand that, thank 6 you.
7 CHAIR BROWN: You're correct. We'll quit 8 discussing this, you're pointing out that the rules 9 applies when the plant goes operational. We're 10 working back at the license application with the 11 design certification documents.
12 Let me finish real quick. We're being 13 told you can't do anything of what we're talking about 14 because it can't be addressed until seven or eight 15 years later until the plant goes operational.
16 And therefore, the vendor can do whatever 17 they want, we can't ensure there's one deterministic 18 data flow out of the reactor protection safeguards, 19 rod control, whatever systems you want to talk about 20 if they've got communications or monitoring.
21 We can't address that in the design phase 22 which, to me, that means I can't complete my design.
23 And just because the rule, that's cybersecurity and I 24 say there's no cyber in there, it's just control of 25 access.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
68 1 And yes, our design documents talk about 2 control of access and the IEEE standards and 3 everything else. That was fine back in the days when 4 control of access meant you had to go pull a drawer 5 open and go muck around with a potentiometer.
6 It's not like that anymore, control of 7 access now is introduced, the electronic access, and 8 we're just stuck with this log jam of trying to 9 utilize the good stuff that's in this reg guide, 10 because it's really quite excellent.
11 It's got really good information, it's 12 well thought out, and it covers a lot of territory.
13 And we're told you can't even think about 14 some of these concepts of data diodes and 15 incorporating them at the design stage so that the 16 equipment does have a door that you may want to do 17 something else with later with other techniques.
18 But at least from that level of 19 protection, it's already embedded in the design and 20 we're told you can't deal with that. So, I have 21 already mouse-milked this to the extent that I've 22 destroyed your entire presentation.
23 And I apologize for that, Kim you've been 24 very, very patient and you've done an excellent job.
25 You've made it very clear where the rule applies.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
69 1 It's a question of how in the world do we 2 provide some clarification in this reg guide because 3 it's one of the three to be looked at for providing 4 guidance for design stuff, 719, the defense in depth 5 and diversity stuff, and the 1.152, which largely 6 deals with physical control in most of the cases.
7 That's where the hard spot is but you've 8 made it I think more understandable to us to see how 9 that's viewed.
10 And what I've been looking for is how can 11 we provide some clarification under just the thought 12 process, the big-picture applicability and a few other 13 places that, hey, look, these methods are good and can 14 be used in license applications for new plants.
15 And it's kind of interesting, in 5.71, 16 it's on Page 6 I think, there are the words kind of.
17 Everybody is shooting themselves in the foot is what 18 I'm really saying.
19 There are words that say here's Page 6, 20 the last part of the stuff where it's talking about 21 Rev 3 of 1.152, this is under background.
22 It says if a licensee or Applicant chooses 23 to address 73.54 through the use of design features, 24 it then submits the details of those design features 25 of the safety system intended to meet as part of the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
70 1 license amendment request or design certification 2 application for review and approval.
3 In such cases, the NRC will review these 4 features in conjunction with the system's safety 5 functions, only in conjunction with the safety 6 functions, to ensure the reliability of the safety 7 system is not adversely impacted by the inclusion of 8 these security features.
9 In other words, right there it says we can 10 do this because it will be reviewed only in terms of 11 is the safety system reviewed? Not a cyber review.
12 And I like those words, I would just like to have some 13 additional stuff.
14 MS. LAWSON-JENKINS: I hope you can hear 15 me.
16 CHAIR BROWN: Did you hear me? Are you 17 there, Kim?
18 MS. LAWSON-JENKINS: Yes, unfortunately, 19 I'm getting a bad network quality indicator here. So, 20 I turned off my camera hoping that I don't --
21 CHAIR BROWN: I'm just saying your words 22 under the background on Page 6 refer to this even 23 though these were intended to meet cybersecurity 24 stuff, really, they're for safety system applications, 25 the way it said, to ensure reliability of the safety NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
71 1 system is not impacted, et cetera.
2 So, I just think those could be unfuzzied 3 a little bit. I haven't quite figured out how to do 4 that yet but that's what I've got in mind for 5 amplifying this to make the example that, hey, you 6 can't have virus protection.
7 But for safeguards, safety systems, 8 control, as well as other critical balance of plant 9 stuff, these can be used. So, it shouldn't impact 10 that, it's just trying to get the thought process 11 across it.
12 This reg guide has good stuff in it and it 13 shouldn't be deferred for seven years after the DCD 14 has been approved.
15 MS. LAWSON-JENKINS: I just want to 16 suggest we keep going further because I am hoping, not 17 all of them, but some of your issues will be addressed 18 as we discussed them.
19 But I want to make a few more good points 20 here.
21 CHAIR BROWN: We're ready to go.
22 MS. LAWSON-JENKINS: So, this diagram just 23 shows the whole process again, altogether, of how the 24 assessment, determining whether the CDA issue is 25 really important, that's the upper on the right side.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
72 1 The defensive architecture implementing 2 that is extremely important, then applying the 3 security controls which we do for Milestone 6, which 4 includes looking at the physical security and making 5 sure nothing's being connected through the assets and 6 Milestone 5 and monitoring those security controls.
7 So, I guess you could say, the big picture 8 for Milestone 1 through 7. Brian, Slide 14?
9 MEMBER KIRCHNER: Kim, this is Walt 10 Kirchner, the logic, the flow structure of this makes 11 good sense. I don't have anything to add except for 12 I think where Charlie is going in part is this is how 13 you approached it with existing operating plants.
14 And some of those plants are obviously 15 implementing more and more digital assets and 16 controls. But if you were looking at a new plant 17 starting from scratch, the thing you would really want 18 to do is number three first and then the other parts 19 would follow.
20 Do you see what I'm saying? So, what you 21 have right now is what you have with an operating 22 fleet.
23 What could be done to improve the level of 24 cybersecurity protection for new digital INC system 25 for an existing plant or for a new plant would be to NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
73 1 implement the defensive architecture first in the 2 design and then apply everything else that you 3 identify.
4 MS. LAWSON-JENKINS: Two things, a comment 5 on that. Was that a question that you expect me to 6 respond to? I can.
7 MEMBER KIRCHNER: I guess it was a 8 statement or just an observation, leave it as an 9 observation.
10 MS. LAWSON-JENKINS: We'll leave it as an 11 observation now but we'll probably come back to that.
12 CHAIR BROWN: Kim?
13 MS. LAWSON-JENKINS: Yes?
14 CHAIR BROWN: We've gone over the break 15 time. Is there a break point here where we can take 16 a break for everybody? I was looking forward in the 17 slides, the rest will go fairly quickly since we've 18 mouse-milked this on most of these slides.
19 So, if you want to proceed I think we can 20 get to the overview slide, 18.
21 MS. LAWSON-JENKINS: Let's go through 22 these because there isn't much more on here. On top 23 of Milestone 1 through 7, we added the full 24 implementation of the cybersecurity program, which is 25 what is shown at the bottom of the screen.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
74 1 Like I said, you saw this during Jim's 2 presentation in July so I'm not going to add a whole 3 lot of value here. I think we went over the main 4 part, which like I said, everyone has been focusing 5 on, the architecture.
6 Next slide, Brian, please. And we've 7 discussed this also in a way. I've said we've had 8 inspections, at least for Milestone 1 through 7 I want 9 to give you the information here.
10 We had 63 inspections and the all of the 11 findings from the inspections were of low safety 12 significance but the areas that we saw the highest 13 number of findings were CDA identification, MMD, 14 handling, and the type of controls that were applied 15 when they said they were applying the protections.
16 CHAIR BROWN: On identification why is --
17 (Simultaneous speaking.)
18 MS. LAWSON-JENKINS: It's this whole issue 19 that I mentioned before when the licensees, some of 20 them said we don't believe this device to be labeled 21 as a CDA.
22 And the guidance is pretty clear, at least 23 what we had, for the acceptable method of doing this.
24 We were calling CDAs and why and we've actually added 25 clarity to that in this.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
75 1 If you look at the updates, the difference 2 between what we've said in the original guidance, we 3 talked more about the pathways and how they are to be 4 protected and why they should be labeled as CDAs.
5 Once again, I really want to emphasize 6 this point, we call these things CDAs for humans, for 7 us, to make sure that we are applying protections 8 consistently with the methodology that makes sense.
9 And also, that you're protecting the right 10 things, that you have thousands of pieces of 11 equipment, a plant. And this is where the 12 risk-informed, consequence-based security comes into 13 play.
14 You cannot protect everything when you 15 look at your computers and when you get the updates 16 for virus protection. They do not apply all the virus 17 protections they can to your computer or it would 18 never work.
19 So, the most important thing is to come up 20 with a methodology, saying these pieces of equipment 21 are the most important things in our plant and we have 22 to protect these functions.
23 This equipment is associated with these 24 functions and we need to label them as CDAs. But 25 there is no hard and fast rule and when we saw devices NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
76 1 that we said, no, this can affect the safety and 2 security or important safety functions.
3 Why is it not protected when you called it 4 a CDA or not? That's where we will mark something 5 against Milestone 2, because if it had been labeled a 6 CDA, some protection would have been applied.
7 So, we bin these things based on the 8 actions we saw. If things were not even labeled as a 9 CDA, it wasn't identified as a CDA and if you don't 10 identify the CDA, then most certainly you won't apply 11 the protection.
12 So, that was the issue.
13 MEMBER KIRCHNER: Kim, this is Walt 14 Kirchner again. We often, all of us, I think too 15 loosely throw out this phraseology risk-informed. So, 16 let me ask you a rather pointed question.
17 You're inspecting existing plants, most of 18 these plants have a full PRA.
19 Do you use the PRA as the arbiter -- let's 20 put aside physical security for the moment and just 21 talk about safety functions. So, more the classical 22 safety side of the FSAR rather than the physical 23 security side.
24 Do you use the PRA has a means to inform 25 what are the critical digital assets? Because if it's NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
77 1 just a question of everything that's digital, you 2 could get into a number of honest professional 3 disagreements about whether it's a critical digital 4 asset.
5 If you fell back on your PRA to 6 demonstrate that this is of no serious consequence in 7 terms of our licensing basis with regards to dose 8 consequences, et cetera, is that a way to arbitrate, 9 so to speak, what's a CDA and what's not?
10 MS. LAWSON-JENKINS: That could be a way.
11 I support that mechanism to look at a Level 1 PRA to 12 identify scenarios that lead to catastrophic 13 consequence that would be a method of doing that.
14 But at the end of the day, it's the 15 licensee that has to apply the methodology and they 16 have to explain it to us of why things were chosen.
17 To me, using something like a PRA would be 18 great for consistency when they were making the 19 explanation. So, I would very much support that 20 mechanism but we don't tell them how to do it.
21 We give guidance and like I said, I 22 absolutely agree that a PRA would be one mechanism of 23 doing that.
24 But it really, and this is what I don't 25 think a lot of people understand about risk-informed NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
78 1 security, comparing it with compliance-based security, 2 the onus is on the regulator or whomever is doing the 3 compliance when you're doing compliance-based.
4 Because you're saying you must do this, 5 this, this, and this, a list of things and they have 6 to comply with it and they check off a list.
7 With risk-based security the onus really 8 shifts more now to the people who are operating the 9 network or the plant, where you give the evidence of 10 why you chose whatever you believe is important to 11 protect and that you did it adequately.
12 So, there's more evidence to provide 13 instead of just saying you comply with something. So, 14 there's a balancing act there that I think people 15 didn't recognize.
16 But to be candid, I think it's necessary 17 because of all the different implementations of 18 cybersecurity plans, different types of equipment 19 they'll have in their network, that it has to be the 20 complexity of the equipment itself.
21 It would have to move in that direction 22 regardless.
23 MEMBER KIRCHNER: Thank you.
24 MEMBER DIMITRIJEVIC: This is Vesna 25 Dimitrijevic. Walt brought something really important NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
79 1 that everybody talks about, risk-informed, but the 2 risk is very different based on what application we 3 are discussing.
4 So, even you don't really tell them what 5 to do, you should really have some basic definition 6 what the risk they are concerned with, you know?
7 So, in their application they really know 8 what to looking for. You understand what I'm trying 9 to say, if you are risk-informing something you are 10 measuring that it covers some risk importance.
11 In that case, what is the risk discussing?
12 This usually consists of likelihood and consequences.
13 So, it should be some general high-level discussion on 14 that.
15 MS. LAWSON-JENKINS: And we do, if you 16 look at the section of the documentation that 17 discusses how do you identify CDAs? We say some of 18 the considerations you should look at when you're 19 identifying CDAs.
20 We're pretty explicit, we give general 21 guidance on that and in addition, then we say when you 22 choose a defensive architecture, the things that you 23 have identified have to do with safety and importance 24 of safety and security, have to be protected at the 25 highest levels in your defensive architecture.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
80 1 So, the technical controls you apply, the 2 operational controls, and the administrative controls 3 should apply to defense in-depth at the highest level 4 to protect those assets.
5 So, we do give guidance on that and we do 6 talk about the type of functions, safety and security 7 functions, that need to be protected.
8 The NEI guidance that they are generating 9 go into more detail of how to do that but we do give 10 a guidance on that and I absolutely know that some of 11 the upcoming work, as you keep saying, for the new 12 reactors, we're going to be discussing how you 13 identify these assets.
14 Let me go on.
15 (Simultaneous Speaking.)
16 MS. LAWSON-JENKINS: I'm sorry.
17 MEMBER DIMITRIJEVIC: Just saying thanks.
18 MS. LAWSON-JENKINS: Okay, Brian, let's go 19 to Slide 16. We have really discussed a lot of these 20 issues already. We clearly have discussed the 21 deterministic devices.
22 We've talked about data integrity, which 23 is a huge issue when you're transmitting the data to 24 make sure only the authorized people get access to 25 something and it hasn't been modified by unauthorized NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
81 1 people.
2 How we move data between security levels 3 and maintain the integrity and the treatment of 4 maintenance and these equipment, we've actually 5 discussed all these issues.
6 Next slide, Brian. After we finish 7 Milestone 1 through 7, that was the first time the 8 team looked at updating Reg Guide 571, so we started 9 this in 2016 and that was at the beginning of the full 10 implementation inspections.
11 And in the subsequent years, we finished 12 them actually this year in 2021, we completed all the 13 full implementation inspections of operating 14 licensees. Next slide, Brian, Slide 18.
15 I guess we can probably have a break 16 because we'll get into more details of the updates.
17 I really want to mention Member Brown and the other 18 Members that we will talk about technical security 19 controls.
20 I think you'll see that in the slides 21 because as I mentioned before, when security controls 22 were applied, there's a choice of applying them on the 23 device themselves or applying them in their 24 environment.
25 And for what your concern is, which I NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
82 1 understand, the design of the equipment, that 2 licensees can and they should impose requirements on 3 the people who they're obtaining the equipment from.
4 That is where those technical security 5 controls are going to be implemented, that they would 6 use just like the kiosk and other devices, the CDAs 7 and here are the controls.
8 Basically, those controls that are 9 installed actually on the device, on the equipment, 10 the licensee will claim credit for that when they 11 implement their cybersecurity plan.
12 So, it does all fit together and we do 13 have mechanisms in the guidance that discusses 14 security being sent down to the people who are 15 developing equipment.
16 CHAIR BROWN: Yes, the secure development 17 environment is what you're talking about I think.
18 MS. LAWSON-JENKINS: Not just that, there 19 are actually security requirements, as I said. If you 20 have a technical control on the CDA, it didn't just 21 get there.
22 You may buy the equipment that has it but 23 if the equipment is being designed, it is applicable 24 for the licensee to say to the vendor we need to this 25 security control to be implemented so that we can have NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
83 1 a cybersecurity plan that will meet the regulation.
2 CHAIR BROWN: This has been a great 3 discussion, I think it's really been illuminating and 4 I hope it helps the Members to understand the overall 5 issue as well.
6 The thing I'm continuing to struggle with 7 is I don't view a data transmission device coming out 8 of my cabinet as necessarily being cybersecurity.
9 I look at that as a backstop or control of 10 access issue because I don't have any of what I call 11 the traditional, cybersecurity-type controls, which 12 are virus detections, monitoring and all that other 13 kind of stuff.
14 I'm just looking at a hardware design and 15 how do I make sure I've got that overall system 16 protected from electronic access through all of its 17 transmission needs.
18 There are other things cyber-wise that 19 have to be done for the overall plant and the stuff it 20 interfaces with, et cetera. But those will come 21 later.
22 But some things need to be looked at and 23 they can be used, they help you from the cyber world 24 because they're there but they're also there from the 25 design standpoint of the equipment.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
84 1 That's just been like sucking blood out of 2 rocks to get through that issue, pardon my example.
3 MS. LAWSON-JENKINS: So, it's up to you, 4 whenever we can take a break it will be fine.
5 CHAIR BROWN: We're going to do that right 6 now, we'll take a break. What time is it? It is 7 11:27 a.m., we'll go until 11:45 a.m., that will give 8 us 18 minutes. Is that enough for you and your dog, 9 Walt?
10 MEMBER KIRCHNER: Could you afford 20?
11 No, that's enough.
12 CHAIR BROWN: I'll give you 20. We'll 13 make it 11:47 a.m., I'll give Walt 20 minutes. I've 14 got to take my dog out also so nobody's talking about 15 it. 11:47 a.m., we will recess until then and thank 16 you very much for all your patience, Kim, it's been 17 wonderful.
18 MEMBER KIRCHNER: Thank you.
19 (Whereupon, the above-entitled matter went 20 off the record at 11:27 a.m. and resumed at 11:47 21 a.m.)
22 CHAIR BROWN: It's Charlie Brown, I see 23 that it is 11:47 a.m. and, Kim, are you there?
24 MS. LAWSON-JENKINS: Yes, I'm here.
25 CHAIR BROWN: We will go ahead and NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
85 1 reconvene and you can proceed on.
2 MS. LAWSON-JENKINS: Thank you. Brian, 3 please go to Slide 19? I don't know if the ACRS is 4 aware or the current Members are aware but we actually 5 issued the draft guidance, a version of the draft 6 guidance, for public comment back in 2018.
7 And I included that in the package that 8 was shared before this meeting. We clarified the 9 existing interpretation of the regulations based on 10 what we learned from Milestone 1 through 7 11 inspections.
12 We updated the guidance to reference the 13 new rule for cybersecurity rent notification. At that 14 time, the current version of NIST Special Publication 15 85 was Revision 4.
16 Those are the security controls which, in 17 a way, were the basis of what we had the original reg 18 guide on. I think we used Revision 3 back in 2010.
19 So, the NIST guidance had been updated in 20 the meantime and we looked at that guidance to make 21 sure our controls were pretty much in alignment, if it 22 made sense. We did it on a case-by-case basis.
23 At the same time, IAEA came out with new 24 guidance on security. The NRC was actually pretty 25 active in a lot of those Committees when the new NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
86 1 guidance was being generated.
2 And even though the guidance hadn't been 3 implemented yet, we knew what was coming so we could 4 take those insights and use them in the guidance. And 5 also, the Commission direction regarding the balance 6 of equipment was incorporated into this version of the 7 draft guidance.
8 So, those were the main changes that we 9 had in there. Next slide, Brian, Slide 20. The 10 guidance was put on hold after we went out for public 11 comment to wait for the completion of the full 12 implemented inspections.
13 So, that's what occurred and then we 14 started updating the guidance again in 2020. We took 15 good advantage of those two years that we had. Some 16 of the public comments stated that we were not really 17 using risk-informed cybersecurity or we had mentioned 18 it in that last draft guidance.
19 So we did include text in this current 20 version that you have that discussed risk-informed 21 cybersecurity. We emphasized the need for accurate 22 CDA assessments.
23 I cannot stress this enough, that the CDA 24 assessments should be living documents. They should 25 reflect the current security posture of that CDA. It NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
87 1 is not something that should be assessed at the 2 beginning of the program and you never look at or 3 touch anymore.
4 We made that clear in this guidance, 5 that this living document should be accurate and 6 should reflect the current security posture of that 7 CDA. That draft guidance that was coming out of the 8 IAEA actually became standards by 2021.
9 So, we're referencing those documents and 10 there was another version of the NIST guidance, 11 Revision 5, which we double-checked and clarified to 12 see if there was any area that we weren't in alignment 13 on.
14 And of course we addressed the public 15 comments we received in 2018. Next slide, Brian.
16 There were 57 cybersecurity inspections completed 17 between 2017 and 2021. The areas that we saw that 18 needed --
19 Let me stop for a second. Remember back 20 in Milestone 1 through 7 I said there were certain 21 areas that we saw the highest number of findings and 22 you don't see portable media and mobile devices here 23 anymore, right?
24 Like I said, I believe a great job was 25 done on that. We still were struggling I think, up to NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
88 1 a point, with the quality of the assessments and the 2 systems.
3 Because a lot of the plans now have moved 4 from being established to being maintained, 5 vulnerability assessments became more important, and 6 also, how often to monitor and verify the 7 effectiveness of the security controls?
8 That was an issue where we saw we could 9 definitely do some improvements there. Next slide, 10 Brian, Slide 22. This slide and the next slide give 11 an overview of the major changes.
12 One of the I think comments I received 13 from Christina when I gave her the new version of the 14 draft guidance is she commented on how much bigger it 15 was, how many more pages it was than the original 16 guidance, which is absolutely true.
17 But that is not to be unexpected for 18 cybersecurity for a document that was being updated 19 that was 10 to 12 years old. And all of the 20 information that we have I really consider value 21 added.
22 So, I'm not going to go through each slide 23 here because there will be a slide to address each one 24 of these items but this is just an overview for the 25 Members when you look at the slide deck.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
89 1 MEMBER HALNON: Hey, Kim, this is Greg, 2 are we going to talk about BOP later in the 3 presentation?
4 MS. LAWSON-JENKINS: A bit, yes. There 5 was a presentation on BOP in July.
6 MEMBER HALNON: I can go back and look at 7 that.
8 MS. LAWSON-JENKINS: We can discuss it a 9 bit but I have to admit, I didn't expect for that to 10 be a focus this time. So, at a minimum we can take 11 the questions.
12 If I cannot answer them all directly or if 13 you don't see it addressed in the guidance, we can 14 provide more information about it.
15 MEMBER HALNON: I was just interested in 16 how you balanced the risk versus the critical portion 17 given the BOP stuff normally just puts things and the 18 plan in safe condition.
19 How you can do that in a risk-informed way 20 makes it equal with the risk-informed approach to the 21 safety-related stuff. If that was addressed back in 22 July I'll go back and look at it.
23 I did not realize that.
24 MS. LAWSON-JENKINS: We could have Staff 25 support a separate BOP discussion if necessary but NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
90 1 please do look at the information that we had in July 2 because that area was pretty well discussed, I think, 3 then. I was listening in on that phone call.
4 MEMBER HALNON: And I probably was too.
5 MS. LAWSON-JENKINS: I know how it is when 6 you aren't specifically thinking of something at that 7 time.
8 MEMBER HALNON: Yes, let me recover a 9 little bit and go back and look at it and if I have 10 questions, I'll let you know and get the right stuff.
11 Thanks. Brian, why don't we go past the next slide?
12 And like I said, we'll go through all 13 these, there's a slide for every one of these issues.
14 We'll go right straight to risk-informed.
15 Risk-informed cybersecurity, as I said, 16 for any computer system you have to make judgments on 17 which vulnerability security threats you address and 18 which ones based on the consequence of something 19 failing and how quickly you apply those things.
20 For risk-informed security, you have to 21 take into account, and this is the definition we give 22 in the guidance, the threat information, the 23 likelihood of the adversarial success, and most 24 importantly, the resulting consequence of the threat.
25 And the bullet items you see here are some NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
91 1 aspects that you have to take into account when you 2 are using risk-informed security. For instance, the 3 characterization of the facility functions.
4 So, as we spoke about earlier, whether you 5 use PRA or some other methodology of identifying what 6 the safety, importance of safety, security and 7 emergency preparedness functions are.
8 To characterize a threat to the facility, 9 as I mentioned on some of the defenses that were used, 10 I said this defense is only applicable for wire tax, 11 you understand, or wired pathway.
12 Or it's only applicable for portable media 13 and you have to look at some other things. You have 14 to take all of that into account.
15 The specification of the requirements 16 including the cybersecurity plan, the defensive 17 architecture, and defense in-depth methodology, all 18 three of those work together to apply risk-informed 19 security.
20 Implementation of the requirements based 21 on the consequence analysis, a lot of the NEI guidance 22 certainly is based on the consequence. That's how 23 they determine what controls to apply.
24 And this is a point that isn't well 25 documented often but that we, going forward, are NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
92 1 really going to keep reminding people that there has 2 to be validation and verification of the 3 implementation of the cybersecurity plan and the 4 program as a whole.
5 You have to make sure the plant, first of 6 all, is doing what you said it's going to do, that you 7 implemented the plan based on the requirements, doing 8 what you said it was going to do.
9 And then determine whether it's effective.
10 Okay, it's doing what you said it's going to do but is 11 it doing it effectively? Okay, you did something but 12 what it's doing, is it effective?
13 And what I would say the goal should be of 14 when the licensee implements the cybersecurity plan is 15 that we truly just provide oversight. The NRC comes 16 out and the licensee will provide evidence of what 17 they did, why they did it, and whether it was 18 sufficient.
19 And then the NRC should comment on it and 20 give our feedback and perform the oversight in that 21 way. With security, we have to get ahead of it, it 22 can't be a whack-a-mole where you find the problem and 23 you fix it, you find the problem and you fix it, you 24 find the problem and you fix it.
25 You have to understand why you do things NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
93 1 and whether what you're doing is effective. And only 2 once we start moving towards that mentality will we 3 start getting ahead of the game when it comes to 4 security, when you have an active adversary trying to 5 do damage to your facility.
6 CHAIR BROWN: This is Charlie. I just 7 want to make sure I understand. To me, I'm obviously 8 focused on safeguards, protection systems, reactivity 9 control, starting pumps and valves and all that kind 10 of stuff.
11 Those are not risk-informed. They either 12 have to start or not, they can't decide that they 13 don't have to start.
14 MS. LAWSON-JENKINS: Right.
15 CHAIR BROWN: Therefore we don't have to 16 do anything with them. But what you do with those, 17 we're back to that other question of how do you ensure 18 they actually function?
19 Those are through design features that you 20 put into the thing, not cyber features of any kind.
21 You make sure, for instance, in a protection system 22 you have four divisions.
23 You want to make sure at least two of them 24 work so you have redundancy. You make sure they're 25 independent because you don't want them all NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
94 1 interdependent. One failure could take them all out.
2 You want diversity or defense in-depth 3 within that architecture. So, risk-informing a design 4 of the protection system and safeguard system, I don't 5 think that's what you're talking about here.
6 MS. LAWSON-JENKINS: No, I said 7 cybersecurity.
8 CHAIR BROWN: I'm just trying to make sure 9 I'm wrapping my brain around this the right way 10 because to me, it's not like you allow a little bit of 11 risk or a little bit of hiking, as I said earlier.
12 That doesn't work.
13 MS. LAWSON-JENKINS: Like I said, safety 14 always trumps security. You have to focus on the 15 important things and that's the tricky part. Truly, 16 safety obviously is important and that's what you're 17 doing but how do you do it? And that's what we're 18 debating.
19 CHAIR BROWN: One of the five major design 20 functions for the protection systems, safeguard 21 systems, are redundancy, independence, deterministic 22 processing of your computer systems, in other words, 23 main operating loops if you can do it.
24 They don't do it but that's a way to get 25 around that. Diversity in defense in-depth and, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
95 1 quote, control of access.
2 And so that's one of the design functions 3 that's called out in 1050.55(a)(h)(2), I think, where 4 there's those functions, that architecture foundation 5 is in the 5055 rule.
6 MS. LAWSON-JENKINS: Like I said, I don't 7 want to conflate things because as I said, I'm 8 speaking purely from cybersecurity.
9 CHAIR BROWN: I got that, and I'm just 10 trying to make sure in my own mind that you're 11 confirming what I would hope you were going to say.
12 Because when we're going through the five 13 principles, fundamentals, as a Committee with the 14 Staff, to ensure that we are comfortable that it's 15 safe and will perform as expected, we think of the 16 cyber stuff that's happening.
17 We're trying to slam a door so nothing can 18 get in, recognizing there are other things that have 19 to be thought about physically from access.
20 MS. LAWSON-JENKINS: Eric Lee, who you 21 know, as he always says, cybersecurity ensures the 22 reliability of the safety function to make sure that 23 the adversary cannot adversely impact the safety 24 functions. That's the rule.
25 CHAIR BROWN: I got it, but the 7354 rule NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
96 1 is not part of our design, it's not in the initial 2 design application part of the thing. It's literally 3 supposed to trip or not trip and so you have to have 4 enough redundancy and independence to make sure it 5 does.
6 I think I understand this is pretty benign 7 relative to what we're doing. From a risk-informed, 8 I can see how you have to look at every asset and say, 9 look, if that thing fails or gets compromised, is that 10 going to cause a design basis transient?
11 And if the answer is no, then you don't 12 have to do as much. You don't want to go overboard on 13 the site.
14 MS. LAWSON-JENKINS: You really want to 15 put your resources where it's going to matter.
16 CHAIR BROWN: That's the way I read this 17 and I just want you to confirm for me that I'm reading 18 that the right way. Go on.
19 MS. LAWSON-JENKINS: Next slide, Slide 25, 20 please. So, this was the discussion about balance of 21 plans where we consider that important to safety 22 equipment. So, one of the considerations are whether 23 or not you identify certain equipment as CDAs.
24 So we added a diagram and lots of text.
25 This is only one example of the text that we applied NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
97 1 there. But you'll see that all throughout this 2 Section 3, you see the same information multiple 3 times, where we're talking about balance of plans.
4 As I would suggest, if you have any 5 questions, please look at the transcript and I don't 6 know if there's a recording of the presentation that 7 was made in July, if there are additional questions, 8 obviously the Cybersecurity Staff would be more than 9 willing to answer the questions.
10 But we updated this space on guidance from 11 the Commission.
12 MEMBER KIRCHNER: Kim, this is Walt 13 Kirchner, I will go back and look at that but at a 14 very high level, how do you draw the line on defining 15 balance of plant important to safety?
16 It goes back to my comment about do you 17 use the PRA and demonstrate that you've got, I'll say 18 this, the design basis accident envelope, it covered?
19 What's the metric? In the field, how does 20 an inspector determine what's important to safety in 21 the balance of plant?
22 MS. LAWSON-JENKINS: Basically, like I 23 said, based on the safety rule, in the guidance that, 24 really, the licensees that NEI put out, we gave 25 guidance on what equipment was considered balance of NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
98 1 plant.
2 And it says it right there on number 6, 3 equipment that can affect reactivity or result in an 4 unplanned reactor shutdown or transient. So, it 5 should be labeled as a CDA based on that.
6 Now, what controls you apply after that is 7 another story. We aren't talking about that here.
8 We're talking about just identifying the equipment.
9 MEMBER KIRCHNER: There's a large universe 10 of things that could result in an unplanned shutdown 11 or transient for the plant, that was my concern.
12 In practice in the field when you do your 13 inspections, do you find that your track record is a 14 general alignment between your inspectors and the 15 operating plants and their estimation of what's 16 important here?
17 MS. LAWSON-JENKINS: I have seen very few, 18 if any, violations based on this equipment should have 19 been identified as protection for balance of plant.
20 Usually, that is pretty clear-cut.
21 The actual controls that are applied may 22 be debatable, that's when we usually have some 23 discussions based on that. I generally look at all of 24 the inspection reports. The issue hasn't been usually 25 identifying the equipment or balance of plant.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
99 1 Normally, that is pretty clear-cut, it's 2 a matter of what controls were applied.
3 MEMBER MARCH-LEUBA: This is Jose.
4 This applies obviously to operating 5 reactors because those are the only ones that are 6 operating now, but have you been following the Part 53 7 developments, especially the Tier 1 and Tier 2 8 separation, where only Tier 1 items are safety grade?
9 Will this have any repercussions on 10 cybersecurity that you will not require cybersecurity 11 on Tier 2 things?
12 MS. LAWSON-JENKINS: I remember Member 13 Brown mentioning in an earlier meeting weasel words.
14 I don't want to speak for someone else.
15 We are absolutely following the discussion 16 on this and you'll see that in the slide later on, 17 that we are actively -- we haven't completed the Part 18 53 work yet so I am not the person to even speak on 19 that.
20 MEMBER MARCH-LEUBA: I know you don't like 21 to --
22 MEMBER PETTI: Jose, the Staff has 23 changed, they're not using Tier 1 and Tier 2 anymore.
24 MEMBER MARCH-LEUBA: They call it 25 something else but it's still Tier 1 and Tier 2, they NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
100 1 call it something else.
2 MEMBER PETTI: There are two sets of 3 requirements now.
4 MEMBER MARCH-LEUBA: Yes, what used to be 5 Tier 1, which now is called something else goes in 6 tech specs as safety grade. What used to be in Tier 7 2, which now is called something else, is still not in 8 tech specs because it's still not safety grade.
9 And what I'm suggesting here is that it 10 should not be out of the cybersecurity platform just 11 because it's in Tier 2. You tell me what the name is 12 that they're giving it today but it's still Tier 2, 13 not tech specs, not safety grade.
14 MS. LAWSON-JENKINS: There will be a 15 totally different presentation on that. I do 16 understand what you're addressing but I can't speak to 17 that at all.
18 MEMBER MARCH-LEUBA: First, I have to 19 apologize, I was late but earlier I wanted to put in 20 a word but everybody was talking and it was impossible 21 to break in.
22 I wanted to support something, Kim, you 23 said during that talk, that if there is a place where 24 defense in-depth fits, it's in cybersecurity. You can 25 put all the one-dimensional diodes you want, I can NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
101 1 find you a way I can bypass them.
2 I may have to have a SolarWinds attack or 3 something like that. So, there is going to be a 4 tendency, the same way we got rid of safety-grade 5 systems and we are going to relax cybersecurity on 6 what used to be called Tier 2 items.
7 I hope you defend us on this.
8 Cybersecurity needs defense in-depth and needs to be 9 everywhere. Thank you.
10 MS. LAWSON-JENKINS: Like I said, we can 11 have some follow-up discussions if you want more 12 information but when we were updating guidance based 13 on the plans, we were in contact with FERC and they 14 gave input.
15 And like I said, through the inspections 16 we haven't had too many issues on what's been 17 identified as balance of plan, there's general 18 agreement on that. But there has been discussions on 19 what would be adequate protection of that equipment.
20 But like I said, hopefully this new 21 guidance will clarify that. And Brian, please go to 22 Slide 26? Okay, so again, we're talking about 23 identification of critical digital assets.
24 And one of the obvious things we added was 25 a diamond at the beginning that you have these NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
102 1 critical systems that have been identified. Does any 2 of the digital equipment contain digital components or 3 firmware or software?
4 So, we brought firmware into that, which 5 wasn't quite clear from the original guidance.
6 There's a diamond that was there that talked about 7 pathways but we clarified it more to say does this 8 device affect critical assets, functions, and/or 9 pathways?
10 Because it really matters that we know a 11 possible attack that's approaching, not only when it 12 gets to the target. And we added a diamond to talk 13 about balance of plant, which we didn't have before.
14 So, we enhanced some of the guidance that 15 has to do with identification of critical assets. And 16 we talked more about protecting the critical digital 17 systems and assets.
18 That led into the discussion, like I said, 19 about the kiosks or any other device that's protecting 20 especially more than one asset, how actually the 21 protection of that device itself that's providing that 22 function, it has to protect itself.
23 And we made that pretty clear and it 24 should be identified as a CDA. Next slide, Brian, 25 Slide 27.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
103 1 We expanded the discussion on defense 2 in-depth-protected strategies and this is a long 3 sentence but it incorporates everything we needed that 4 it employs multiple diverse and mutually supported 5 tools, techniques, and processes to effectively 6 perform timely detection of protection against, and a 7 response to cybersecurity attack.
8 Too often on the inspections we saw one or 9 two mechanisms that were there, you have a data diode, 10 you have the portable media program, as I said, the 11 Milestones 1 through 7s, they're were great starting 12 points.
13 But it has to be defense in-depth that's 14 directly from the rule. And it won't always be 15 processes or it won't always be operational things.
16 Technology is very important.
17 For the older plants there was a heavy 18 reliance on physical security, operational procedures, 19 which is understandable but they also had a smaller 20 attack surface.
21 As you get more digital equipment in, I 22 think technology is going to play a bigger part, which 23 is why licensees probably need to be proactive in 24 having these discussions with vendors and 25 manufacturers of security features that they would NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
104 1 need to have an effective cybersecurity plan.
2 Next slide, Brian. Defensive architecture 3 protecting the SSEP function.
4 We've actually discussed this quite a bit, 5 that functions that are protected when they have to do 6 with safety and security should be protected at the 7 highest levels and the functions that affect safety 8 and security and importance of safety may apply to 9 more than one critical system.
10 But those critical systems should be 11 allocated at their appropriate security level, whether 12 you call it Security Level 3 or 4. Some licensees 13 only have one security level behind their data diaode, 14 it's whatever they feel is affected but it should be 15 protected in that architecture.
16 And as I stressed, they must understand 17 the attack pathways for their architecture. Most 18 diagrams will show the wired access into the network 19 and into the systems, which is very important, 20 clearly.
21 But as I said, we have to be aware of 22 portable media and mobile devices. If other pathways 23 eventually possibly, not necessarily behind the data 24 diaode but it's wireless to see how that's affecting 25 where it is in your architecture.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
105 1 Supply chain, which is very challenging, 2 to say the least. We did only a limited amount of 3 changes to supply chain in this version because the 4 standards and recommendations are still in flux.
5 But at a minimum, that's why I keep 6 harping on the detection capability, there has to be 7 a detection capability behind the data diaode to 8 understand when something is different, some new 9 function is being performed, some new communication is 10 occurring.
11 Which may have been introduced, could have 12 been introduced through the supply chain.
13 The licensees need to understand the 14 communication paths that you have in the architecture 15 and that should be discussed during the licensing 16 phase when they're giving us the template or whatever 17 they're going to do for their cybersecurity plan.
18 So, when they talk about their 19 cybersecurity plan, every licensee talks about their 20 defensive architecture, everyone. Next slide, Brian.
21 CHAIR BROWN: Not next slide yet.
22 MS. LAWSON-JENKINS: Okay, back to Slide 23 27, Brian, thank you.
24 CHAIR BROWN: This is 28. 27 is fine.
25 I'm looking at 28, and I was looking at your comment NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
106 1 right now. Behind the data diode you have to have 2 something monitoring what's going on behind it in 3 order to ensure there's nothing wrong.
4 And so I translate right into my reactor 5 protection system. I'm not going to go back into the 6 other discussion, I just wanted to clarify. We 7 designed a protection system to a set of I'll say give 8 principles.
9 It's redundant, independent, 10 deterministic. If not, how do we fix it? Control of 11 access and diversity in defense in-depth. And we have 12 been insisting that all data transmissions out of that 13 system be through a data diaode, hardware-based.
14 But on the back side of that, within the 15 protection system, we don't see any other monitoring 16 function that is interrupting operations and 17 determining whether there's something else going on 18 that shouldn't be there.
19 That would totally disrupt the operation 20 of the safety system. In other words, it's a desert 21 back there, it's just what it is, hardware-wise, and 22 the way it's designed and the way the computer system 23 is designed.
24 You may come back in later and decide you 25 have to change the operating system software because NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
107 1 there was an error in it. That becomes a control of 2 access and monitoring at the vendor level and making 3 sure there's no malware incorporated in that design 4 change.
5 But you don't have a permanent function 6 constantly interrupting the operation to monitor 7 various subroutines and other routines that the 8 protection system is going through --
9 MS. LAWSON-JENKINS: Let me clarify 10 something, I think there's a miscommunication on this.
11 There's something called a host intrusion detection 12 system, that's when you have something actually on a 13 device saying this process is running, this process is 14 sending information.
15 We're not talking about a host intrusion 16 detection system. If anything, we're talking about a 17 network intrusion detection system, where information 18 comes from a device. We're looking on the pipe to see 19 that information come across it.
20 And it goes all the way it's supposed to 21 go. So, we aren't doing anything to the reaction 22 protection system. We're just looking at information 23 that's coming out of it if you were using an intrusion 24 detection system.
25 CHAIR BROWN: So, the point you're making NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
108 1 is that, in other words, the data, it's coming out via 2 the one-way --
3 MS. LAWSON-JENKINS: Yes.
4 CHAIR BROWN: It goes to a network maybe 5 before it's processed?
6 MS. LAWSON-JENKINS: It goes to a device 7 that monitors it and then forwards it on somewhere 8 else but there's no communication --
9 CHAIR BROWN: Let me finish. That one-way 10 input into the network would be residing in the 11 protection system, but before that network sends 12 anything out somewhere else, it might be a 13 deterministic device.
14 But that network you were talking about 15 would have something sitting within it that's making 16 sure all of its functions are operating as they should 17 and haven't been invaded by something else on the back 18 side of the diode before it sends anything out?
19 Because there's nothing in the protection 20 system, I've got data coming out of that, it goes to 21 a network then goes to the main control room.
22 MS. LAWSON-JENKINS: Right, and it's just 23 the same information that's coming to this firewall or 24 whatever is in monitoring. It isn't sending anything 25 back, it's just looking at what comes out of it.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
109 1 CHAIR BROWN: But I'm just saying, you're 2 not implying -- excuse me, that's the wrong word. The 3 system is delivered, nobody is going to be looking on 4 the backside of that terminal board protection system 5 --
6 MS. LAWSON-JENKINS: No.
7 (Simultaneous speaking.)
8 CHAIR BROWN: -- putting anything in 9 there?
10 MS. LAWSON-JENKINS: No.
11 CHAIR BROWN: That's all I wanted to make 12 sure I understood.
13 MS. LAWSON-JENKINS: It's monitoring 14 communication and like I said, what you refer to is 15 more, like I said, it's a host.
16 It's sitting on the host and that's 17 something that whoever manufactured that reaction 18 protection system, they did that, that's outside of 19 our control.
20 We don't do that.
21 CHAIR BROWN: Let me make one other 22 observation then because one thing we do do in the 23 protection system, there are a set of self-checks that 24 are built into that software to make sure it is doing 25 what it is supposed to do.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
110 1 They are relative to the protection 2 functions themselves and if they're tripping at the 3 right points or if their set point hadn't changed, et 4 cetera. So, I got it, we can go on, I just wanted to 5 make sure I understood context.
6 MS. LAWSON-JENKINS: We're just monitoring 7 the information and the communication that's expected.
8 Nothing looks unusual. It would be still forwarded 9 onto wherever it's supposed to be forwarded to. We 10 are not interrupting anything that should be happening 11 on the safety side.
12 CHAIR BROWN: Okay, thank you.
13 MR. HECHT: This is Myron Hecht, can I ask 14 --
15 MS. LAWSON-JENKINS: Yes.
16 MR. HECHT: So, you spoke about network 17 monitoring of if it were benign. But, in fact the 18 network monitoring equipment, even though it's 19 supposed to be just listening, can interfere with the 20 network communications if it's malfunctioning.
21 MS. LAWSON-JENKINS: If it's 22 malfunctioning. Which is --
23 (Simultaneous speaking.)
24 MR. HECHT: Right. But now they did this 25 -- you might say well, if it's malfunctioning, it's NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
111 1 not within the cyber security provenance.
2 But, how is that considered? I mean, 3 balancing the risk of, or ensuring that the network 4 monitoring function is actually always fail silent, 5 and doesn't fail so that it starts a jabbering and 6 causing interference with the safety function from the 7 -- through the network?
8 MS. LAWSON-JENKINS: That's really, I 9 believe incumbent on any piece of equipment that you 10 have. I'm not trying to be fictitious.
11 But, you have to have some way of 12 verifying that it is functioning correctly. And this 13 is an issue that I said we actually had with a kiosk.
14 Okay.
15 The -- if an equipment man -- okay, if 16 this is, we're talking about an intrusion detection 17 system, okay. If it fails, it's going to fail 18 securely.
19 It will not interfere -- that would be a 20 requirement. That's one of the requirements that we 21 have in the, in our cyber security plan.
22 That if it fails, it's going to fail 23 securely. So, it should not start --
24 MR. HECHT: Well, --
25 MS. LAWSON-JENKINS: Okay, jabbering, as NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
112 1 you said.
2 MR. HECHT: I get it.
3 MS. LAWSON-JENKINS: Okay. So, that's a 4 requirement of the cyber security plan.
5 MR. HECHT: Well, you said fail securely.
6 I just -- but not necessarily fail safely. I could 7 envision fail securely --
8 (Simultaneous speaking.)
9 MS. LAWSON-JENKINS: So, and that -- and 10 that requirement is still there. We don't replace a 11 requirement. There's an additional requirement.
12 It must fail securely already, based on 13 the crimes that NRR, you know, has, in their 14 documentation. In fact, that is one of the issues 15 that NEI 08-09, their version of a cyber security 16 plan, they claim credit for that fail safely.
17 They said that we didn't need the fail 18 secure -- failing in a known state. And you'll see 19 that later in a slide. So, we'll just jump to that 20 now. And I'll skip it later.
21 That we said that we -- the device needs 22 to fail in a known state so we can understand whether 23 it failed securely and safely.
24 They substituted a command saying -- or 25 sorry, a control saying it need -- we already do that, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
113 1 it fails safely.
2 So, like I said, we -- that is not 3 getting, that is not being eliminated. And the point 4 that why we kept it in Reg Guide 5.71, is that 5 addition to the existing Reg guidance and regulations 6 where it must fail safely, it must fail securely.
7 And those two things are not necessarily 8 identical. Because you need to understand --
9 MR. HECHT: Okay.
10 MS. LAWSON-JENKINS: That that device is 11 performing its security function adequately.
12 MR. HECHT: Okay. Thank you for that.
13 But, what you're saying is that a failure mode where 14 the security devices might affect safety is handled by 15 NRR. And that the failure modes where they might fail 16 insecurely are handled by NSIR, and served by that --
17 MS. LAWSON-JENKINS: That's at least 18 piping it that way. I'm saying that if it's going to 19 fail securely, that's a requirement we have in the 20 CST. That we have.
21 And as I said before, that just safety 22 always trumps the security. Always. So, there's 23 nothing that the security device would introduce that 24 would make that safety system not operate.
25 MR. HECHT: Well, is there some kind of NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
114 1 poll, because NRR may not know about network intrusion 2 monitoring devices and TAPs, and fiber optic TAPs and 3 things like that?
4 But, NRR -- NSIR is really worried about 5 the security out there the most. And nobody's worried 6 about the fact that the security devices might fail in 7 a way that impacts a safety or controls traffic.
8 MS. LAWSON-JENKINS: I'm not quite sure 9 how you can make that last statement. I don't agree 10 with strongly.
11 I don't agree with -- that is not true.
12 As I keep saying that we always have security so that 13 it doesn't affect, negatively affect the safety 14 function. Always.
15 Okay. So, that's a requirement.
16 MR. HECHT: Well, that's a philosophy 17 statement. But, in terms of the actual 18 implementation, in terms of understanding how devices 19 work, and how device fails work together and --
20 (Simultaneous speaking.)
21 MS. LAWSON-JENKINS: If you look at 22 security controls -- please look at the details of the 23 security controls in Appendix B and C that are 24 implemented in the cyber security plan.
25 It isn't just a philosophy. There are NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
115 1 actual requirements in there that it cannot negatively 2 impact the safety function.
3 That's not in the guidance in the front 4 matter in the staff position. That's actually in the 5 controls also.
6 MR. HECHT: And how does somebody know 7 that something fails in a way that cannot affect the 8 safety function? How is that verified?
9 MS. LAWSON-JENKINS: If the device -- I'm 10 sorry, can you give me a specific of what are you --
11 I guess I'm trying to get clarity on what's your --
12 MR. HECHT: Okay. Well, we spoke about a 13 network intrusion device. But, how many times have 14 you tried to log onto a system maybe with two-factor 15 authentication, and your second factor, displaying the 16 secret number, or something like that, failed. Or 17 there was a loss of synchronicity and you couldn't log 18 in?
19 I'm not sure what the analogous failure 20 modes are for network intrusion equipment or for fiber 21 optic TAPs that could cause that. But, it seems to me 22 that you're putting stuff now in series in that 23 communication link that might fail in such a way.
24 In other words, it's not completely 25 benign. And this requires that technical expertise.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
116 1 And this regards people who know about these things.
2 And I understand that NSIR knows about 3 them from the security perspective. But who knows 4 about them from the, I guess I'll call it the 5 electronic perspective, or from the actual device 6 perspective, and those that know the devices don't 7 negatively impact the safety systems of the client?
8 In other words, there's a requirement 9 there. But, somebody might be overlooking something 10 in verification.
11 MS. LAWSON-JENKINS: Okay. As I said, 12 that we are not talking about a host detection system.
13 And we also are not discussing an intrusion protection 14 system where it actually may take an action.
15 Now, I understand you're saying if it 16 fails, well, with the requirement to fail securely, it 17 should leave the -- leave the system in the same state 18 as if it was not operating.
19 It should not --
20 MR. HECHT: Yes, that --
21 MS. LAWSON-JENKINS: Make things worse.
22 So, I'm pretty sure that when we look at the 23 requirements and outputs and things that will occur, 24 that those scenarios will take into account that it 25 doesn't have to be in -- you can have TAPs that don't NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
117 1 affect even when you're possibly just monitoring 2 what's going on.
3 And it doesn't even have to be on the same 4 communication network. You can have things go off in 5 two directions.
6 One can go off in the operational. And 7 then you have the other information go off to the 8 device itself that's doing the monitoring.
9 It's the same. It's just making a copy 10 and sending it. Okay. And you don't have to be right 11 in band.
12 MR. HECHT: Again --
13 MS. LAWSON-JENKINS: So, there is 14 definitely a different way to doing this.
15 CHAIR BROWN: Myron, let me --
16 MEMBER KIRCHNER: Again, this is Walt 17 Kirchner. I want to -- I'm following up on Myron's 18 point.
19 I am not, again, I'll say not well versed 20 in this. But, I -- from an architectural standpoint, 21 going back to Charlie's initial point, the pick up 22 that you would use to see, look at whether it's 23 functioning properly, let's pick on the reactor 24 protection system.
25 In the final analysis what does it do? It NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
118 1 sends a trip signal to some voting logic. We don't 2 have to go into the details.
3 But, you're monitoring, I would hope, in 4 an architectural sense, would be serially downstream 5 of that function, that trip signal and the equipment 6 that is tripped, the control rods.
7 Down -- and downstream of a diode that 8 protects that equipment from any back feed because of 9 the monitoring system.
10 MS. LAWSON-JENKINS: It would definitely 11 --
12 MEMBER KIRCHNER: Do you see where I'm 13 going?
14 MS. LAWSON-JENKINS: It would definitely 15 be downstream for sure. And like I said, it doesn't 16 have to be in banded between whatever's being sent.
17 It could literally be a copy of something 18 that's sent over. So, --
19 MEMBER KIRCHNER: No, that would be 20 dangerous to put it upstream.
21 (Simultaneous speaking.)
22 MEMBER KIRCHNER: I mean, it was my --
23 MS. LAWSON-JENKINS: There's no upstream 24 because of the diode. There's no upstream anywhere.
25 It's monitoring.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
119 1 There's no communication. So --
2 MEMBER KIRCHNER: Right. So, as long as 3 -- as long as you're doing the monitoring downstream 4 of the reactor protection system function, and 5 downstream isolated by a hardware diode, a digital 6 diode, then I would see it okay.
7 But, if that monitoring is upstream of a 8 diode, you could get feedback into that system 9 theoretically.
10 MS. LAWSON-JENKINS: No -- no 11 disagreement. No disagreement on that.
12 But, I have to admit, in the architectural 13 diagrams I have seen, there's no -- if you have a data 14 diode, you don't usually put something, especially in 15 front, right in front of a safety system.
16 You don't put --
17 MEMBER KIRCHNER: That was my point 18 earlier in the morning about where you had the diode 19 on the diagram.
20 MS. LAWSON-JENKINS: And as I said, there 21 are usually multiple, because these networks are so 22 vital.
23 MEMBER KIRCHNER: Of course. Yeah, of 24 course they would be.
25 MS. LAWSON-JENKINS: That's all I'm NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
120 1 saying. That it really, and this is why when we --
2 you get down to the details, all these things are 3 considered.
4 I'm not dismissing any of it. Because 5 that is what you have to look at. You know, how do 6 you meet all these requirements, not just to do the, 7 obviously do the protection.
8 But that malfunctions won't affect it.
9 That -- you're still -- but you'll still be able to 10 detect when something's going wrong, and recover from 11 it.
12 So, it does take, I agree, a lot of 13 expertise. We have the safety and secure -- the 14 safety engineers need to talk to the security 15 engineers, who need to talk to the vendors, who 16 understand.
17 And this was a big issue that we're 18 constantly working with the licensees on. That they 19 must, must communicate with the vendors who make this 20 equipment, so that we can understand the normal 21 operating functions of this equipment.
22 So that when anything, and this is with 23 security devices also, when anything is different, 24 when it starts to act differently, we need to 25 understand why.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
121 1 I really, I feel like there's no 2 disagreement here, really what we're talking about.
3 But, obviously the implementation details matter a 4 lot.
5 And the questions that are being asked, 6 and the discussion we're having is the exact same 7 thing that should be happening with the licensees and 8 their vendors.
9 MR. HECHT: Okay. Thank you.
10 MS. LAWSON-JENKINS: Thank you.
11 CHAIR BROWN: If I could -- this is 12 Charlie again, Kim. Trying to think of this, I've 13 listened to both.
14 I recognize you all wouldn't put anything 15 close, in the reactor protection system, you know, 16 upstream of the data diode, sending the data out of 17 the protection system.
18 But, there's no monitoring. So, that's 19 built into the design, whatever they want to do. So, 20 there's no host -- that's the host, I guess you would 21 call it.
22 But, if you look at a network where the 23 data goes to, and then gets sent some place else, I 24 was trying to integrate how you do something securely 25 and safely. And I understand the need to monitor NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
122 1 network functions.
2 So, something that monitors, to me the 3 ideal monitor has to be unintrusive to the network 4 operation. And the only way it could really do that 5 would be to take data in.
6 And that data has to be received via 7 unidirectional type devices so that nothing can go 8 back out the other way.
9 And as the monitor determines based on 10 that input that something scurrilous or nasty is going 11 on, its output should not go back into the network 12 system. It should be an independent transmission to 13 another system, or people, or control center.
14 That hey look, part of your network is not 15 working right. In other words, it should not put 16 itself back and let the network communicate that.
17 And that's, I think that's what Myron and 18 Walt were both probably talking about. These are 19 designed, hardware designed details.
20 MS. LAWSON-JENKINS: System -- they're 21 system designed, yes.
22 CHAIR BROWN: Yes, system designed.
23 MS. LAWSON-JENKINS: So, I would say for 24 system designed detail.
25 CHAIR BROWN: That to me is the ideal NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
123 1 monitoring system. Number one, it obtains data in a 2 unidirectional input manner such that it can't go back 3 the other way and affect something.
4 And it does -- and it communicates a 5 problem out without using the thing that it's 6 monitoring. Okay. That's the simplest way I can 7 phrase it.
8 In Section 3.2, I guess I had one other 9 just, it's a little bit of a bone to pick. But, I'll 10 pick it anyway.
11 And this was in the preamble part of 3.2, 12 the input part. One of the paragraphs talks about, 13 and it says, while a data diode can be an important 14 element of an acceptable defensive architecture, use 15 of a data diode alone does not provide adequate 16 protection to comply with the defense in-depth 17 strategies required by 73.54.
18 Exploits of vulnerabilities associated 19 with supply protection, supply chain PMMD, wireless, 20 physical presence -- physical presence pathways, can 21 allow an attacker to circumvent those protections by 22 the diode implementation.
23 All true. That's written in a format that 24 implies that the data diode is -- is not a very good 25 protection from the overall standpoint.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
124 1 And what's lost in the way this is put 2 out, it sounds like the other supply side stuff with 3 this -- that you put in place, is the important part.
4 But, that's -- that issue we've had to 5 deal with for the last 60 years, of supply side PMMD 6 whatever, when you made changes in the analog world.
7 The real point is, when we introduced 8 computers, we have now bypassed that physical 9 protection capability. It's the one that's been 10 damaged.
11 And the data diode saves the day on the --
12 on the data, you know, the communications aspect of 13 it, on the electronic communication.
14 So, I mean, the way I would have written 15 this was, hey, in the old days we protected ourselves 16 this way. But, it wasn't good enough to handle the 17 electronics. And now the data diode rides in on its 18 white horse, and protects us from the electronic 19 intrusion.
20 So, I'm kind of bent around the axile on 21 terms of the way this is performed. Because it's --
22 it's inverted relative to the actual path and the 23 development of the technology as we went forward.
24 But new -- new problems were introduced 25 electronically by the introduction of digital data, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
125 1 digital computer type circumstances.
2 In other words, the only way you can 3 provide a new virus is via these other physical means 4 now. Okay?
5 But the data diode prevents it from 6 happening electronically. I just think it's written 7 kind of convoluted where, you know, I don't know what, 8 whether you ever want to do anything with that.
9 But, I'm aggravated. Not aggravated, 10 that's the wrong word. I was a little concerned that 11 the message comes out that the data diode is the new 12 thing that has come in here to provide a protection 13 that we did not have now with the electronic.
14 And it's still subject to people getting 15 in, like you say, behind, back into the host via other 16 means. And that should have been emphasized instead.
17 But, I think we're probably ready to go 18 onto the next slide.
19 MS. LAWSON-JENKINS: Okay. I do -- I 20 would like, and I know you didn't ask a question, and 21 I do want to address that, because we spent a lot of 22 time on that text.
23 And the reason was because we have seen in 24 systems where there has been, in a way, an over 25 reliance on the protection of a data diode. Where NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
126 1 that was deemed sufficient.
2 CHAIR BROWN: Oh, absolutely. I agree 3 with you. You can't do that. It only protects you 4 from the operation of a system and getting data out to 5 other things.
6 It does not protect you from physical 7 access to the system with other problems. And I still 8 can't figure out why anybody would ever want to use 9 wireless.
10 MS. LAWSON-JENKINS: And we would never 11 get rid of this. We aren't saying we're going to 12 replace this with something newer and shiny or better.
13 We are not saying that.
14 But, we want to build on this. And just 15 -- and I'm not going to comment on the wireless in 16 that way.
17 But, I'm really saying that if you look at 18 what you're doing today in your regular life, as far 19 as the -- and that's you, and I, everyone, as far as 20 communication, I don't know anyone who has a plain old 21 telephone system anymore that's wired.
22 CHAIR BROWN: I do. I do.
23 MS. LAWSON-JENKINS: Very few. And I used 24 to work at Motorola. So, there's very few who do. I 25 have with -- I really miss it, because there were, you NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
127 1 know, issues that I don't -- I wouldn't have had with 2 that old phone.
3 My point is, especially for this guidance, 4 we want to build and keep what we did that worked 5 well. There's no doubt that introducing the actual 6 requirements of a data diode in our architectural plan 7 we had for in 2010, you know, it was -- it really met 8 the mark.
9 And it will continue to meet the mark for 10 wired communication where the proper analysis has been 11 done and you know the pathways in.
12 CHAIR BROWN: Let me interrupt you just 13 for a second. All I'm saying is that this little for 14 example paragraph, which I agree is a very important 15 paragraph. The point gets across, okay?
16 So, I'm not complaining that you don't get 17 the point across. But, the lead in really ought to be 18 that our protection of these plant systems, the 19 critical safety systems and safeguard systems and 20 other systems as well, okay, really consist of two 21 pieces.
22 One is the physical protection of access 23 where things can get discombobulated. And the second 24 is now the introduction of an electronic data 25 transmission path that was not -- has not had to be NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
128 1 considered before.
2 And requires both data diodes and these 3 other vul -- you know, physical protection pathways to 4 be protected in order to achieve total security.
5 That's the way that it makes much more 6 sense to write this paragraph, the lead in. If you 7 understand what I'm saying. It's a couple of 8 sentences.
9 So, I'm leaving it up to -- hey, I can't 10 force you to do anything. I just think the point is 11 not made that it takes two pieces since we introduced 12 the other.
13 It used to be one, physical only. Now 14 it's two. And one is enhanced with the data diodes 15 and the other still is maintained with physical 16 protection. All the list of other stuff you talk 17 about for those physical pathways.
18 MS. LAWSON-JENKINS: Okay.
19 CHAIR BROWN: So, I would just introduce 20 it in a slightly different manner. But we -- I'm not 21 going to go any further on this.
22 Hopefully you will take this under 23 advisement.
24 MS. LAWSON-JENKINS: Oh, I will. And I 25 will.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
129 1 CHAIR BROWN: Okay.
2 MS. LAWSON-JENKINS: I will. I'll look at 3 -- and if you ask --
4 (Simultaneous speaking.)
5 CHAIR BROWN: I agree with the concept of 6 what you said in it. Okay? It's totally okay.
7 MS. LAWSON-JENKINS: Okay. So, the actual 8 words I used, we used. Okay. I understand.
9 CHAIR BROWN: Okay?
10 MS. LAWSON-JENKINS: Yes.
11 CHAIR BROWN: And let's go onto the next 12 slide, which I think is 29.
13 MS. LAWSON-JENKINS: Twenty-nine. This 14 was the wiggly room I think you referred to.
15 CHAIR BROWN: Oh, yeah.
16 (Laughter.)
17 MS. LAWSON-JENKINS: One of the other 18 meetings where we had to have a communication path 19 that will allow for vulnerability updates.
20 Because in the existing, in the original 21 guidance, we said you had -- we had these separate 22 security levels. And that you could not communicate 23 from lower to higher security levels.
24 CHAIR BROWN: Prohibited. It was very 25 specific.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
130 1 MS. LAWSON-JENKINS: Yes. We prohibited.
2 But, at the same time, was have the var -- a 3 requirement that you had to do vulnerability updates.
4 CHAIR BROWN: Well, what do you -- let's 5 explore that a minute. What do you mean?
6 I mean, what -- vulnerability updates from 7 what standpoint?
8 A deny all permits by exception is a 9 bidirectional data communication device that's 10 software controlled. And by command, can be allowed 11 to input from a lower level to a higher level.
12 MS. LAWSON-JENKINS: Okay. We -- I'm not 13 talking about a wired communication. Because you've 14 discussed diversity and things like that already for 15 safety.
16 Okay. So, what has been approved on the 17 mechanisms that we've seen implemented at plants, it's 18 not wired communication to install an update.
19 No plant has that. And no plant is using 20 that, because that would bypass the data diode in an 21 unacceptable way.
22 What we have seen are processes and 23 procedures, as I mentioned, with a kiosk and approved 24 media that's been received from a vendor that will be 25 scanned to make sure there's no known vulner -- no NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
131 1 known malware on that media that we're getting ready 2 to install on the CDA that's located behind the data 3 diode.
4 So, if everyone who does the vulnerability 5 update is a portable media. They are not using wired 6 connections.
7 CHAIR BROWN: Okay. That does not come 8 across. And in the way that's written into the Reg 9 Guide right now, does not do what you just said.
10 MS. LAWSON-JENKINS: How does it --
11 CHAIR BROWN: That does not -- that does 12 not preclude a wired bidirectional device to be 13 installed so that you can do vulnerability updates, 14 not by some other physical means, but by electronic 15 means.
16 And that ought to be clarified. That's 17 all I'm saying. And what you just said -- and I 18 understand what you just said. That's very clear.
19 MS. LAWSON-JENKINS: Um-hum.
20 CHAIR BROWN: But, that's not what this 21 says. This is an open -- this is an open -- when 22 we're reviewing a design, you know, and its structure, 23 okay, from a one line diagram and architecture 24 standpoint, we would see this, this could be 25 implemented and say hold it, the Reg Guide allows NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
132 1 that.
2 Because it's -- we got it processed.
3 We'll have controls when we tell it. It can process 4 and input to all these software systems on a permit by 5 exception basis.
6 And that's as soon as it's -- that's the 7 way that reads. You really ought to clear that up.
8 Because that's --
9 (Simultaneous speaking.)
10 CHAIR BROWN: That's like an open cesspool 11 type to destroy everything.
12 MEMBER PETTI: Kim, this is Dave. When I 13 saw these words, I, you know, knew it would trip 14 Charlie.
15 But, what I thought was exactly how you 16 answered it, is exactly how I thought it should be 17 done. So, there is a disconnect between what these 18 words mean and what most of the plants seem to be 19 doing, which is the right thing.
20 So, I would support that somehow some 21 words need to change here so that it doesn't look as 22 open as the words could imply.
23 MS. LAWSON-JENKINS: Point taken.
24 MEMBER PETTI: Thanks.
25 MS. LAWSON-JENKINS: I will. I will.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
133 1 But, to be -- just to clarify, there was, not as 2 serious, but there was a suggestion about, you know, 3 when we were coming up with the procedures, on how 4 would you do vulnerability updates? And immediately 5 the staff said no to wired communication. No.
6 And we were like, -- I said, with physical 7 security, you don't have a door open for 20 minutes 8 just to have someone do these updates. You don't do 9 that. And you wouldn't do the same for -- for wired 10 communication.
11 And like I said, there's a lot of 12 procedures and technical controls that we are using to 13 implement this. So, I will -- I can understand why 14 this needs to be clarified more.
15 And since what I said is actually the way 16 it's being implemented in the plants, we -- like I 17 said, we don't like to, the staff prefers not to say 18 how to implement something.
19 Okay. And keeping in mind that this maybe 20 the basis of future work, we don't like to dig 21 ourselves into a hole on something like that.
22 At least a new guidance will have to say, 23 maybe take exception to something we're saying. We 24 try to give the licensees and the vendors enough 25 flexibility that they can still implement things in a NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
134 1 secure manner.
2 But, your point is taken that because we 3 didn't specifically mention wired, that people may 4 think that's a justifiable way of doing it. When 5 absolutely everyone we've discussed this with knows --
6 has agreed and we don't have that.
7 So, I will make sure that we update the 8 text regarding that point. I agree.
9 CHAIR BROWN: Yes. I make one observation 10 on part of your comment about, we try not to tell 11 people how to do it.
12 You are the regulator. You are the safety 13 oversight. And sometimes, you have to tell people 14 what's absolutely acceptable to you, and what's not.
15 MS. LAWSON-JENKINS: Yes. We're the 16 security oversight. And honestly, I'll be candid, 17 only with physical security, with -- well not 18 physical.
19 With physical -- how can I say it, 20 chemistry, physics, a lot of those disciplines, we --
21 there are axioms, this is the way it operates, things 22 generally don't change.
23 With security, especially with cyber 24 security, change is the constant. That's the only 25 thing you can rely on.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
135 1 And you have to have ways of adapting just 2 as the attacker adapts. Okay. So, that's why we 3 tried to give guidelines.
4 We tried to -- and on some things, when we 5 introduced the data diode, they said, if you really 6 want to do one way, you must use a hard way mechanism.
7 So, we don't totally avoid it.
8 CHAIR BROWN: That's right.
9 MS. LAWSON-JENKINS: But that is the 10 preference. We don't totally avoid it. But, when we 11 don't want any miscommunication on it, which is 12 clearly what we have here, on this vulnerability 13 update.
14 And that preferred method is not to do 15 wireless. You've got to do wired absolutely. Because 16 -- and then we've come up with a better way of doing 17 it with portable media.
18 CHAIR BROWN: Yeah, that's --
19 MEMBER KIRCHNER: But Kim, this is Walt 20 Kirchner. May I ask a question about what is actually 21 in practice?
22 For those plants that you've inspected 23 that have implemented digital INC on critical assets, 24 say you come in with a computer. The computer is 25 scanned in this kiosk or whatever means.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
136 1 And it's clean. It has no malware and 2 such. But, it has a wifi connection.
3 So, say the maintenance guy or gal is 4 working on a piece, a CDA and needs to reference the 5 home base for the latest and greatest update or 6 ancillary information, whatever, that person -- if 7 that person does it through wifi and the internet, 8 doesn't that present a vulnerability to that CDA?
9 So, how do you deal with that part?
10 Because you know, when you have technicians in your 11 home, more often than not, they don't have printed 12 material anymore. They're on the internet pulling 13 down things, et cetera, et cetera.
14 So, how does the, in practice in the 15 industry, how are they dealing with that potential 16 vulnerability when they're working on CDAs?
17 MS. LAWSON-JENKINS: Okay. I can't speak 18 for every, clearly every licensee. But, I can give 19 some, those guidelines here.
20 That first of all, almost every security 21 plan that I know of, says that for safety and security 22 devices that -- that there is no wireless for those 23 devices.
24 Now, that can be changed. They can put in 25 an LAR and say we want to use wireless. That's a NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
137 1 totally different story, okay.
2 And they will have to have strong 3 justification or whatever. But, right now for 4 existing operating plants, there should not be an 5 attack surface there.
6 And this --
7 MEMBER HALNON: Hey, Charlie, this is 8 Greg. And Kim, it's Greg.
9 (Simultaneous speaking.)
10 MEMBER KIRCHNER: Okay, again, also that 11 pertains to maintenance as well?
12 MEMBER HALNON: Yes. Charlie, this is 13 Greg.
14 MEMBER KIRCHNER: Do you see where I'm 15 going?
16 MEMBER HALNON: Yeah. It's -- it's 17 similar to, go back to the old language. If you bring 18 something out of the cal lab that's calibrated and you 19 drop it or you do something to it, it invalidates its 20 ability to be used.
21 So, these laptops and other potential 22 issues that you might plug in, first and foremost will 23 have either the wireless modules removed or disabled 24 so that you cannot connect it.
25 And that's a pretty standard portion, not NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
138 1 just with cyber, but with normal security. A normal 2 security laptop will have a label on it saying, this 3 cannot be connected to any other things.
4 Same thing with printers or copy machines 5 similarly.
6 MS. LAWSON-JENKINS: Yes.
7 MEMBER HALNON: They are not connected to 8 the LAN. And so those are -- that's a pretty standard 9 practice in the operating forum.
10 MEMBER KIRCHNER: Okay. Thanks Greg. I 11 wasn't sure whether that was part of the procedural 12 practice or not. Thank you.
13 MS. LAWSON-JENKINS: Yeah. If you get, 14 like I said, take a look at the access controls in 15 Appendix B, and you'll see the wireless communication 16 and the information that we just relayed.
17 Okay. Next slide, Brian. And this what 18 we were just talking about. Minimizing the attack 19 surfaces and pathways.
20 CHAIR BROWN: Okay. You can probably go 21 on then, right? Or you -- we're falling behind a 22 little bit. And I want to get to lunch at some point 23 here.
24 (Laughter.)
25 MS. LAWSON-JENKINS: Yes. Okay.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
139 1 CHAIR BROWN: But, I think then -- I think 2 we've kind of been through this stuff. Am I right?
3 MS. LAWSON-JENKINS: Yes. But, I -- let 4 me make one statement.
5 CHAIR BROWN: Okay.
6 MS. LAWSON-JENKINS: A couple of 7 statements on this, because this is huge.
8 CHAIR BROWN: Okay.
9 MS. LAWSON-JENKINS: This is big. Because 10 with all the things with telling the licensees you've 11 got to monitor what you have.
12 You have to understand what you have. You 13 need to minimize the attack surface and pathways. If 14 you don't want to maintain it, if you don't want to 15 put vulnerability updates on for something, don't --
16 and you don't need it, don't have it on the device.
17 Okay. If you don't want to -- if it -- if 18 you have so many protocols, like when you're in the 19 lower defensive levels and you have IT equipment that 20 talks all these different applications and things, you 21 don't have that normally, the industrial control 22 system.
23 You should have the minimum set of 24 functions that you need to operate that plant safely 25 and -- securely and safely. Okay.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
140 1 Don't have extra software on it. Don't 2 have protocols running that you don't need. You have 3 the minimum number of things there.
4 And at the same time, anytime you're using 5 new technologies, make sure those new technologies 6 cannot be used to circumvent or bypass the 7 architecture that you put in place.
8 This was really important. Because when 9 people do digital upgrades, and as you said, you bring 10 in new maintenance equipment to do something, it has 11 to be locked down.
12 It has to have the minimum functionality.
13 And if you do it, at least do it, and get out. And 14 you have to understand how the device is, your devices 15 are affected by it.
16 So, we put a lot of information in about 17 minimizing the attack surface and the pathway. Next 18 slide, Brian. Slide 31. Okay.
19 Use of alternate controls. One of the big 20 things we had, in 2018 we added the intent of every 21 security control that we had in Appendix B and C.
22 Because sometimes licensees said they 23 would use different controls, alternate controls 24 compared to -- instead of using the ones that were in 25 our Appendix.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
141 1 Like they would use physical security, or 2 something that's been done in a safety system, we're 3 going to take credit for that. Or the maintenance 4 program.
5 We said look at the intent of the control.
6 Okay. It should meet that intent. And so we made it 7 clear on what the control, why the control was there.
8 There's lots of additional information 9 about that. Which is why the look of the guidance 10 really increased. Next slide, Brian.
11 Consequence based graded approach. You 12 look at the consequence of if a device fails, you 13 know, and based on that, that's what determines how 14 you're going to apply security controls.
15 And it should be consistent. It should be 16 repeatable. It should be understandable. And it 17 shouldn't change based on different, you know, things.
18 That was really important. Like I said, just to 19 understand why things were done.
20 And 13.10, we cite that in the new 21 guidance that 13.10 is one acceptable way of doing 22 this. Next slide, Brian.
23 Okay. This is an important one obviously.
24 This is where we mention that technical security 25 controls, things that you are installing on that NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
142 1 device, okay, that that could be a part of the design 2 certification list.
3 The licensee said, for this part of our 4 cyber security plans, we're depending on these 5 controls that were implemented in this device. This 6 is where they take credit for it.
7 And also, that's -- obviously that's based 8 on them giving requirements, like I said, to the 9 vendors. And the vendors demonstrating that they have 10 fulfilled those requirements.
11 We added text to the sections that talk 12 about technical security controls. Because as I said, 13 sometimes licensees would use physical security or 14 other operational security, something else to take 15 credit for technical control.
16 And we wanted to be clear why these 17 technical controls, what it means to fulfill these 18 things. So, next slide, Brian.
19 I think we -- did I give one example? I 20 didn't give an example of that. But, if you look at 21 those sections, the previous sections, that will 22 discuss it.
23 But, technical controls are very 24 important. They weren't installed a lot, like you 25 said, we -- for the cyber security plans, we added NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
143 1 that. That was added after the plants were built.
2 So, that's why they didn't take on the 3 significance, is what -- I would have thought as cyber 4 security. But, absolutely for the newer plants, for 5 new designs, technical security controls will be 6 vital.
7 Incident response, we updated based on the 8 use of cyber security event notification rule that has 9 been added. And we updated guidance based on some 10 references we had for this and the DHS CISA 11 Cybersecurity and Infrastructure Security Agency.
12 Next slide, Brian.
13 There's an error on this slide and on --
14 in Section 3, C.3.3.3.1. That just say updates, the 15 updates site Section 2.1 through 2.5 of Reg Guide 16 1.1.5.2.
17 That it -- there is no Section 2.6. But, 18 it references that for secure development of 19 equipment.
20 So, it talks about the concept 21 requirements, design, implementation, and testing.
22 Those are the five sections that are up front.
23 So, then after this meeting, that will be 24 updated before it goes out for public comment. That 25 will say 2.5 instead of 2.6. Next slide, Brian.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
144 1 We've talked a lot about continuous 2 monitoring. We added more examples to say what we 3 consider acceptable.
4 And I expanded -- we expanded the text 5 that talks about the importance of anomaly detection.
6 They need to understand what's normal in the network.
7 Which is why minimizing the software, what 8 you need in that network to have that minimized to be 9 able to detect something different. New activity 10 that's unexpected is probably the first signs of a 11 cyber security attack.
12 So, we added more text on that. Next 13 slide, Brian.
14 Effectiveness analysis of security 15 controls. I drafted almost all that text. So, and 16 that it was -- it isn't mandatory, but this is a 17 method that they can use to explain why they -- what 18 they did was effective.
19 So, we talk about how to come up with 20 objectives. What are good metrics? What are metrics 21 they want to capture?
22 How to build on the log files and all the 23 requisites they're currently doing in the cyber 24 security plans. How to establish benchmarks and 25 targets for metrics.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
145 1 And how to review, keep reviewing. Are 2 you getting the data you expected? Are you missing 3 any data?
4 Or did you -- are you getting more data 5 from different types of devices? There's a whole 6 section that was added on this in 2018. Next slide, 7 Brian.
8 CHAIR BROWN: So Kim, is this a convenient 9 -- we're looking like we're changing subjects a little 10 bit.
11 This is the --
12 MS. LAWSON-JENKINS: Do you -- no, do you 13 want to go back to the metrics part?
14 CHAIR BROWN: No. I would -- I'm looking 15 for a convenient place to --
16 MS. LAWSON-JENKINS: Break?
17 CHAIR BROWN: Stop for lunch.
18 MS. LAWSON-JENKINS: Okay. We only have 19 a few more slides. But, let's go ahead and break for 20 lunch.
21 Because this -- the part that talks about 22 where we're going and what we're going to be doing, is 23 very short. That's not going to take more than ten 24 minutes or something like that, 15.
25 CHAIR BROWN: And that's ten, you're NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
146 1 talking about the next ten slides or what?
2 MS. LAWSON-JENKINS: No. It won't take 3 long, I believe, to go through those. So, if you want 4 to break here, that's acceptable. That's fine with 5 me.
6 CHAIR BROWN: Is -- does anybody have any 7 comments? Walt? Greg?
8 MEMBER HALNON: No, I'm good Charlie, so 9 far.
10 MEMBER KIRCHNER: I'm fine. Thanks, 11 Charlie.
12 CHAIR BROWN: Do you all want to finish?
13 MEMBER HALNON: I hate to place that back 14 on your Charlie, but.
15 CHAIR BROWN: I can't -- I can't -- we 16 could take ten minutes. Okay. I was -- we've got 17 this scheduled out to about three o'clock.
18 So, we've got time. I figured we could go 19 ahead and take a lunch break until about 2:15. And 20 then use that ten minutes to wrap up the last 45.
21 MEMBER PETTI: Charlie, I tend to agree 22 with you. I mean, you've still got to go for public 23 comment.
24 CHAIR BROWN: Yeah.
25 MEMBER PETTI: So, yeah.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
147 1 MEMBER KIRCHNER: Yeah.
2 MEMBER HALNON: Yeah.
3 CHAIR BROWN: All right. We'll go ahead 4 and take a break right now. It is 1:07. We'll come 5 back at 2:15.
6 I'll give Walt an extra little time with 7 his dog and give my time for my dog. Is that 8 suitable? Okay. So, we are, I can't say adjourned.
9 We are recessed, that's the right word, until 2:15, 10 Eastern Standard Time.
11 (Whereupon, the above-entitled matter went 12 off the record at 1:07 p.m. and resumed at 2:15 p.m.)
13 CHAIR BROWN: Okay. Good afternoon, 14 everyone. It is 2:15. I will now reconvene the 15 meeting. And, Kim --
16 MS. LAWSON-JENKINS: Yes, I'm here.
17 CHAIR BROWN: Okay. I wanted to make sure 18 we got back safely here. You can proceed. And we 19 will start on slide 39 I guess. Is that right?
20 MS. LAWSON-JENKINS: That's correct.
21 Thank you.
22 I'm leaving my camera off for the moment 23 because earlier during the presentation I ran into 24 bandwidth issue. And it was, I was afraid I was going 25 to get cut off. So I'll probably leave the camera off NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
148 1 until the end of the presentation just to --
2 CHAIR BROWN: You can't see us either. So 3 --
4 (Laughter.)
5 MS. LAWSON-JENKINS: Assets, sorry, 6 security assessments and plant assets. Unlike the 7 previous section where I briefly discussed metrics, 8 the updates regarding quality security assessments are 9 not a separate section in the updates but made 10 throughout the whole document, both the security 11 assessments of the equipment and the effectiveness 12 analysis of the control supply, knowing this 13 information is critical in providing evidence that the 14 assets and the SSEP functions are protected from cyber 15 attacks.
16 We spoke earlier about requirements, going 17 to vendors and, you know, that the vendors should 18 implement the technical security requirements, and 19 that will be reflected in the plan. That's the asset 20 procurement and identification. That's where that 21 kind of interaction should occur.
22 We discussed earlier about maintenance of 23 the equipment and how that could possibly be used to, 24 as a segue to go to a network. So that's why asset 25 management is very important, asset maintenance is NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
149 1 very important as far as the security of the device.
2 We spoke about vulnerability assessments.
3 That's included in here.
4 The whole point of this diagram is to show 5 that these activities don't operate by themselves 6 isolated, you know, in a silo as we've been saying, 7 that they all have to interact, and they all affect 8 the security of the device.
9 The licensee should understand the plant 10 functions that's affected by the technology that's 11 being used. They need to understand the minimum 12 capabilities of the technology to support the 13 identified plant functions.
14 And they need to constantly evaluate the 15 risks, the attack surfaces, the vulnerability, and the 16 mitigations that are applied to protect the devices.
17 Next slide, please, Brian. Okay.
18 So, for CDA security assessments, as I 19 said, we updated text all throughout the document to 20 really drive home the point that the security 21 assessments should reflect the lifecycle of the 22 equipment.
23 It's not just done at the beginning. It 24 may not even be just done once a year. It should be 25 constant monitoring, assessing to understand the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
150 1 security posture of that equipment.
2 You have the initial assessments and the 3 reviews when you decide what controls you want to 4 apply. You need to verify that the controls that are 5 applied are effective.
6 We need to keep, the licensee needs to 7 keep track of the vulnerability notices that the, 8 issues for the devices in their plant and under the 9 control of their plans, and be able to discuss what 10 mitigations they applied based on that.
11 And very important, they need to fold in 12 their configuration management, which they already do 13 for safety, but to make sure that this configuration 14 management program is somehow associated with the 15 security, because a lot of times with cyber security 16 attacks we see that something has changed on the 17 device, whether it's escalated privileges or some 18 process turns on. And that's configuration 19 management. You should know what's running on your 20 device and keep track of those things. Next slide, 21 please, Brian, 41.
22 And as I said at the beginning and 23 throughout this presentation, we apply, for every 24 security control in Appendix B and Appendix C, we 25 listed the intent of the control so it will be clear NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
151 1 why that control is needed for certain devices, why 2 it's applicable, and how to then hopefully, if you 3 want to use an alternate, apply one that meets the 4 intent of the control.
5 The text added, we added text regarding 6 reducing or eliminating attack surfaces and pathways, 7 as I said, going for that minimum functionality.
8 If the licensee, I would mention to the 9 licensees, if you don't want to track it, if you don't 10 want to worry about vulnerabilities being reported on 11 something, if you don't need that service, remove the 12 service. It makes it much simpler to maintain and 13 keep a security posture for it.
14 And as I said, the last two to three 15 years, there's been a new version of NIST 800-53. So 16 the latest updates reflect those changes that were 17 applicable for our guidance. Next slide, Brian, slide 18 42.
19 This is actually a slide that I pulled 20 from the 2018 presentation. As I mentioned, there are 21 some differences between NEI 08-09 and the draft reg 22 guide that we're establishing.
23 Sometimes, we actually removed a few 24 controls that were still in this, sorry, in NEI 08-09 25 after reviewing the NIST guidance and deciding that we NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
152 1 really didn't need this because it was covered by some 2 other controls.
3 A few of the controls that you see in the 4 middle we agreed that we can remove this. And I gave 5 the reasons.
6 But there were a few controls at the end 7 I said that remain in the NRC guidance that has been 8 removed from the NEI guidance. It usually had to do 9 with the intent for security is different from safety, 10 where they were trying to basically credit the 11 security plan with a safety function. And it really 12 depends on how that's being used. And that's why we 13 kept those controls in.
14 One of the issues that was just brought up 15 during this discussion was for vulnerability updates 16 how during my explanation I said we use the PMMD 17 program not wired connections to implement the 18 security for that. That's the diversity. We need to 19 have a different way of doing something.
20 So that's going to be an example of that.
21 And it's probably what's going to be in the 22 justification when I update the text that has to do 23 with vulnerability updates.
24 And I already mentioned about filling in 25 a known state which deals with security and safety.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
153 1 Next slide --
2 CHAIR BROWN: Can I ask hopefully a quick 3 question?
4 MS. LAWSON-JENKINS: Sure, no problem.
5 CHAIR BROWN: And it's relative to your, 6 the diversity, B.3.20. I guess I'm trying to find it 7 again. I thought I wrote a note in the computer. I'm 8 not used to doing this. So I have a hard time. What 9 was that, B.2.20 or B.3.20?
10 MS. LAWSON-JENKINS: B.3.20 in NEI, sorry, 11 in the Reg Guide 5.71, the revision that we're doing.
12 CHAIR BROWN: Okay. Well, let me -- I'm 13 looking to see if I did write a note on that. I 14 thought I did. Maybe I didn't.
15 MS. LAWSON-JENKINS: Okay.
16 CHAIR BROWN: Oh, yeah, here it is. It's 17 B.3.21 actually.
18 MS. LAWSON-JENKINS: Oh, it's the one that 19 we've been discussing a lot actually. Okay.
20 CHAIR BROWN: I guess my question on this 21 is diversity is nice, but also a multiplicity of 22 different types of virus systems, cyber systems adds 23 to the complexity and difficulty of maintaining your 24 assurance that you're doing stuff okay.
25 You can have too much diversity. And it NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
154 1 complicates. And how --
2 MS. LAWSON-JENKINS: Agreed.
3 CHAIR BROWN: -- balance with that?
4 MS. LAWSON-JENKINS: That's the word that 5 I was going to use. You have to balance it. And that 6 is, no doubt about that.
7 If you have Windows software in your 8 control room and other places, one vulnerability there 9 could be spread in various systems.
10 So, but at the same time, it takes effort 11 to maintain different types of systems. It might be 12 untenable to be able to have different types of 13 software everywhere. So there is a balancing there.
14 And once again, that's risk-informed 15 security. You have to be able to understand what is 16 the risk on having several different types of ways of 17 doing something, because you have to have procedures 18 and processes and keep people trained on how to do 19 that, okay, or having the same software or the same 20 technology everywhere.
21 There is a tradeoff on that. And that has 22 to be discussed. And it's going to be different 23 depending on the circumstances. So we won't be able 24 to make a blanket statement on that.
25 I mean, usually when we actually get NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
155 1 through the licensing aspect and they talk a bit about 2 their plans and they get specific about the technology 3 and what's being used, then we can give more informed 4 guidance or ask them more informed questions. But 5 it's something they have to keep in mind.
6 CHAIR BROWN: How come you don't get 7 involved in the Mac versus Windows issues, because you 8 can't -- there's a lot of stuff done in Windows you 9 can't move over to a Mac environment and vice versa.
10 And you have to maintain both of them under the -- it 11 just seems to me that this -- and I'm not trying to 12 side with industry by, you know, safety or anything.
13 That's not the point.
14 It seems to me this would become fairly 15 complex for licensees to manage if -- you know, what 16 defines the balance or the reasonable approach? And 17 it depends on person to person.
18 I mean, you have one definition when 19 you're doing this kind of stuff, and then somebody 20 else in your section or you retire and somebody else 21 does it, and they've got another interpretation of 22 what it means. That's --
23 MS. LAWSON-JENKINS: Well --
24 CHAIR BROWN: We've been trying to avoid 25 that kind of stuff for years.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
156 1 MS. LAWSON-JENKINS: No, but at the end of 2 the day, it is the case that needs to be made by the 3 licensee based on what decisions they made and to 4 justify the decisions they made.
5 Personally, I would limit the amount of 6 Windows --
7 CHAIR BROWN: I agree with you there.
8 MS. LAWSON-JENKINS: -- devices that you 9 have and the data diode. For Windows, we don't know 10 a lot of the details. It's a lot of proprietary 11 software. That's why a lot of systems use Linux 12 because you get the source codes with that, and you 13 can look in detail.
14 But to be honest, you know, most people 15 who are system users, they aren't going to go into 16 that kind of detail. The people who supply the 17 equipment may do it maybe, you know. And sometimes 18 even they don't know what they're procuring, you know.
19 So supply chain and managing, deciding 20 what type of access and what type of technology will 21 be used at a nuclear facility is going to be, it 22 always has been and it will continue to be 23 challenging, especially with supply chain and that we 24 don't manufacture.
25 We don't know exactly. You know, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
157 1 sometimes you don't know exactly what you have in that 2 black box. And it's been certified, whatever. But 3 it's going to be a challenge.
4 And that's why, like I said, I keep going 5 back to we have to have those dialogues and a 6 discussion with the people who are supplying the 7 technology --
8 CHAIR BROWN: So you're going to --
9 MS. LAWSON-JENKINS: -- and have them 10 explain what's normal operation.
11 CHAIR BROWN: Okay.
12 (Simultaneous speaking.)
13 CHAIR BROWN: You're going to rely on a 14 balance of common sense in other words. I'm trying to 15 characterize this in some common --
16 (Simultaneous speaking.)
17 CHAIR BROWN: It's just seems to me that 18 this was kind of a black hole that we could go down, 19 and also it complicates things in terms of the 20 ability, transferability of information from one 21 system to another and everything else.
22 There's a good basis for having the same 23 stuff everywhere, whereas there's a good basis for not 24 having the same --
25 MS. LAWSON-JENKINS: Right. And it really NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
158 1 is going to be on a case by case basis --
2 CHAIR BROWN: Okay.
3 MS. LAWSON-JENKINS: -- how well you know 4 the technology --
5 CHAIR BROWN: Yes.
6 MS. LAWSON-JENKINS: -- and things like 7 that. So it's, they have to make their case on that.
8 CHAIR BROWN: All right.
9 MS. LAWSON-JENKINS: That's why I say we 10 don't have, we can't just -- we shouldn't dictate in 11 my opinion on that because it is one of those it 12 depends. And there may be a good justification for 13 what they did. And we need to hear it.
14 CHAIR BROWN: Okay. That's good.
15 MEMBER HALNON: Kim, this is Greg Halnon.
16 I just have a quick question. I'm trying to follow 17 the path here. In the Rev. 1 that we got delivered, 18 A.3.21 is the heterogeneity. Is that just a typo in 19 your slide?
20 MS. LAWSON-JENKINS: Let me --
21 MEMBER HALNON: I think you get -- it 22 looks like the numbers are like one off. But that's 23 not the real question.
24 In the Reg Guide, it's relatively sparse 25 on the information. And I'll have to confess I didn't NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
159 1 know, I don't think I've ever seen the word 2 heterogeneity before. But I followed it through.
3 Then I opened up the NIST document. There's a lot 4 more information.
5 Is the path that designers and people are 6 trying to get through is to go from the Reg Guide to 7 the much larger and more detailed NIST document? Is 8 that how you expect people to comply with this to 9 ensure that all the aspects are in the plan itself?
10 MS. LAWSON-JENKINS: The guidance that we 11 have in Reg Guide 5.71 in the draft guidance for this 12 revision is a tailored version of what's in this 800-13 53.
14 MEMBER HALNON: Okay. So that's --
15 MS. LAWSON-JENKINS: 800-53 is applicable 16 for all types of IT systems, like we said, systems 17 that have lots of Windows computers in there and lots 18 of unrestricted or a lot more people accessing the 19 system, and they're all connected to the internet.
20 And there's a lot more things that are going on in 21 networks.
22 And that's a very generic, you know, 23 systems they're talking about. We have a tailored 24 version of that for what we're doing for nuclear.
25 MEMBER HALNON: All right. But you NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
160 1 mentioned earlier that the text align so that if 2 someone went to the NIST document to comply with 3 B.3.21 --
4 MS. LAWSON-JENKINS: Okay. So these or 5 the B, that is for the Reg Guide. So that's the NIST 6 standards. That's a totally different numbering that 7 you --
8 MEMBER HALNON: Well, I understand that.
9 But I'm just trying to get the pathway. If I looked 10 at, just in my lack of experience, looked at that in 11 the Reg Guide I would have not understood what it 12 meant. Then I went to the NIST document --
13 MS. LAWSON-JENKINS: Okay, okay. I 14 understand.
15 MEMBER HALNON: -- and I understand it a 16 lot better because there's a lot more verbiage. And 17 I was wondering --
18 MS. LAWSON-JENKINS: Yes.
19 MEMBER HALNON: -- if that was the 20 expectation is that the Reg Guide is a pointer in a 21 sense to the --
22 MS. LAWSON-JENKINS: You could. We could 23 do that.
24 MEMBER HALNON: I mean, that's okay. I 25 mean, that's what you want. There's nothing in the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
161 1 --
2 MS. LAWSON-JENKINS: There's nothing wrong 3 with that.
4 MEMBER HALNON: -- NIST document that is 5 wrong. It's that --
6 MS. LAWSON-JENKINS: Nothing's wrong with 7 that. But not everything that's in the NIST document 8 is going to be applicable for --
9 MEMBER HALNON: I understand.
10 MS. LAWSON-JENKINS: -- nuclear security.
11 MEMBER HALNON: I understand.
12 MS. LAWSON-JENKINS: Especially when they 13 talk about privacy. We don't -- there is no privacy.
14 So things like that, it just won't be applicable for 15 our systems.
16 MEMBER HALNON: All right. I got it.
17 Thank you.
18 MS. LAWSON-JENKINS: Next slide, Brian, 19 please. Okay. Slide 43, supply chain. Sorry.
20 So, and supply chain for a few of the 21 controls we removed the prescriptive guidance. It 22 really was like how you -- it was too prescriptive.
23 If you look at the, you'll see what's been 24 deleted. Lots of those things have not been changed, 25 or they've just been deleted.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
162 1 And we say that we should look for known 2 vulnerabilities. The licensee has, sorry, the 3 supplier has to demonstrate that there are no known 4 vulnerabilities. And it has to be placed in the 5 system in a secure manner, that we've added a lot of 6 text about evaluating attack surfaces and attack 7 pathways, because that's how you know how to put that 8 securely in your system. Okay.
9 So we definitely made it more -- we got 10 away from saying you must do this, you must do that, 11 you know, a checklist of things, and said how you need 12 to do due diligence and understanding what you're 13 putting in your network and how to put it in there 14 securely.
15 The glossary has expanded. We tried to 16 balance on putting in just enough and not too much.
17 In most cases, we tried to use existing definitions 18 that came from NIST or DoD or somewhere that's, you 19 know, more applicable rather than coming up with our 20 own definition. But you'll see that.
21 Obviously, we updated the guidance, sorry, 22 the reference sections to more up-to-date things since 23 2010.
24 And also we had numerous editorial changes 25 when we had different people reviewing from public NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
163 1 comments, from OGC. And now we're going to put in 2 more changes based on the discussion today absolutely 3 for clearer guidance. Next slide, please. Okay.
4 So that is the overview of what we did or 5 the changes we actually made in the document. Do we 6 have any final questions on that before I go to the 7 next steps?
8 CHAIR BROWN: Just one, and it's just a 9 cross referencing type thing. I had looked back 10 through B and C. Where's the direct reference to NIST 11 for those items? I must have missed it.
12 I've seen NIST in some of the earlier 13 parts of the Reg Guide. I mean, you know, when I 14 keyworded that, I came up with a bunch. But I 15 couldn't get a direct tie to how you tied in the 16 Section B stuff we've been talking about, the -- all 17 those, you know --
18 MS. LAWSON-JENKINS: Right. All right.
19 I can provide you with a spreadsheet.
20 (Simultaneous speaking.)
21 CHAIR BROWN: No, I don't want that.
22 (Simultaneous speaking.)
23 CHAIR BROWN: How does the Reg Guide 24 connect those things back to NIST? You reference not 25 all the NIST stuff is in there, but these are based on NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
164 1 NIST. How does --
2 MS. LAWSON-JENKINS: There --
3 CHAIR BROWN: -- the Reg Guide translate 4 that or connect the dots on that?
5 MS. LAWSON-JENKINS: Okay. There are 6 tailored controls that you will find in NIST. So 7 there is -- for every control in there --
8 CHAIR BROWN: Where are they told that?
9 I'm sorry to -- but where in the Reg Guide are people 10 told that all these tie to NIST? Are they based on 11 the same numerical thing --
12 MS. LAWSON-JENKINS: No, it's a different 13 numbering. I mean, NIST has something like 800 --
14 they had a lot of controls, a lot more than we have.
15 So we took a subset of those controls. And then we 16 made them very tailored for the nuclear security.
17 CHAIR BROWN: Okay. Let me ask the 18 question --
19 MS. LAWSON-JENKINS: And that was in the 20 original Reg Guide. So that was done on the very 21 first Reg Guide.
22 So all we did for the update is to look at 23 the controls. And we don't have a mapping if that's 24 what -- there was a, I believe, and we could find that 25 in one of the references. In one of the references, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
165 1 and I could look it up in the minute before we close, 2 there was a NUREG that was put out that did do the 3 cross referencing between NIST and the guidance that 4 we put out --
5 CHAIR BROWN: Okay. Let me phrase it 6 again a different way. Okay. That's another document 7 that nobody knows about.
8 I'll look at Appendix B, technical 9 security controls. You reference all these things are 10 derived from NIST.
11 But if I look at the lead-in of that 12 overall Section B or Appendix B, it doesn't say that 13 these, all these controls are derived from NIST and 14 the document and the revision level.
15 It's referenced. I mean, NIST is 16 referenced in this thing somewhere in the references.
17 But it doesn't -- when I read this I didn't see it --
18 I didn't get that.
19 Let me -- I looked at these, and I said, 20 uh-oh, they came up with all kinds of stuff. There 21 was a lot of stuff in the last document.
22 MS. LAWSON-JENKINS: Okay. I think that 23 if you look at Section 3.3 in the front matter before 24 where we talk about security controls, you know, in 25 the staff guidance at the beginning and Section 3.3 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
166 1 that talks about security controls, we say that we did 2 a tailored version of the NIST controls. That's how 3 we came up with those.
4 MEMBER HALNON: The bottom paragraph on 5 page 7 in Rev. 1 also kind of goes through exactly 6 what you just said, Kim.
7 CHAIR BROWN: It does? Okay. I missed 8 that then.
9 MEMBER HALNON: It's in the background 10 section of the --
11 MS. LAWSON-JENKINS: Okay. But it's --
12 and then I say this also, if you look in the section 13 that talks about controls in general, how you apply 14 security controls, we say that we tailored the 15 version.
16 CHAIR BROWN: Okay. I got it. I see it 17 now. I just totally missed that when I read it.
18 MS. LAWSON-JENKINS: Out of 160 pages, I'm 19 not surprised.
20 (Laughter.)
21 CHAIR BROWN: At 11:00 or 12:00 at night, 22 it's easy.
23 MEMBER HALNON: Charlie, this is Greg. I 24 got one. I think it's just a housekeeping issue.
25 CHAIR BROWN: Yeah, go ahead.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
167 1 MEMBER HALNON: Kim, when you referenced 2 NEI 10-04, you said it was based on the current 3 version. And then later on, you referenced NEI 13-10.
4 And you actually put the Revision 6 in there with the 5 same version or the same verbiage saying it's based on 6 the current version.
7 Did you do that intentionally to leave out 8 the rev number in 10-04, or was that just a 9 housekeeping issue?
10 MS. LAWSON-JENKINS: I have to double 11 check. I can't -- I have to look at this because --
12 MEMBER HALNON: I think it's around page 13 20. I don't --
14 MS. LAWSON-JENKINS: Okay. I know for NEI 15 13-10 there were several versions. And you see up to 16 six. There were several versions of the document.
17 And so I wanted to be clear on which one we were 18 using.
19 10-04 and also for NEI 08-09 there were 20 not multiple versions usually of the document. Once 21 we approved it that was it.
22 MEMBER HALNON: Okay.
23 MS. LAWSON-JENKINS: Okay, okay. So --
24 (Simultaneous speaking.)
25 MS. LAWSON-JENKINS: But definitely go by NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
168 1 the references in the back.
2 MEMBER HALNON: Yeah, make sure it's 3 intentional. I would just say for consistency either 4 leave both of them the same or not.
5 MS. LAWSON-JENKINS: Okay. I understand.
6 MEMBER BIER: Charlie, this is Vicki.
7 CHAIR BROWN: Yes.
8 MEMBER BIER: I have one a little more 9 philosophical point that I want to raise kind of to 10 make sure that I understand things correctly and other 11 people understand things correctly. I don't think 12 there's been anything wrong implied, but just to 13 clarify a possible confusion.
14 When we talk about risk-informed cyber 15 security, I think what is meant is look at the 16 eventual outcome, like is this affecting a pressure 17 transducer which is not essential for safe operation 18 or is this affecting a scram function or whatever.
19 And the reason I want to ask this is it 20 seems easy, you know, both in my own mind and 21 potentially for licensees to fall into the sort of 22 pitfall of having, viewing the attack paths from a 23 risk-informed point of view of like, oh, this one is 24 more difficult and less likely to succeed or less 25 likely to be used so we don't have to protect against NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
169 1 it.
2 And I don't think that's accurate, because 3 if you protect against the easy ones then somebody is 4 going to choose that harder one at the end of the day.
5 So I just wanted to clarify. Am I 6 interpreting things correctly as to what's intended?
7 MS. LAWSON-JENKINS: First, one of the 8 basis of risk-informed security is to look at the 9 consequence of the failure of that SSEP function.
10 That's probably one of the overriding issues. Okay.
11 As far as applying controls or mitigations 12 to ensure that that function doesn't fail, there has 13 to be, you have to meet the security architecture that 14 you've established. And that architecture may change, 15 you never know, depending on what the type of 16 technology you're introducing.
17 And most certainly, it's in the rule that 18 you have to have defense in depth. So you have to 19 have, as we said, the preventive functions, the 20 detection function, assume they get in, how do you 21 recover from the cyber attack.
22 So it's not just one thing or a few things 23 that they do. And then you can't just rely on, as I 24 said, physical security or operational security. You 25 need -- on some things that may not be sufficient.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
170 1 And the reason I guess we're calling it 2 risk-informed, because it takes, you're looking at 3 multiple things. And you're trying to -- the licensee 4 will have to determine what is going to be the 5 appropriate level of mitigation based on what you're 6 trying to prevent. Okay.
7 So you're using multiple avenues of trying 8 to protect this asset and the pathways to make sure 9 that you can have timely detection and respond to a 10 cyber attack.
11 MEMBER BIER: So I guess my interpretation 12 of your answer is it's defense in depth which kind of 13 tells you, no, you cannot just dismiss some attack 14 path and say it's unimportant because --
15 MS. LAWSON-JENKINS: No. And there was a 16 question earlier about what methodology do you use to 17 decide what's important. So they have to make their 18 case on whether they use PRA or something else to say 19 this is important, okay, and this is why we have 20 protected it accordingly. Okay.
21 MEMBER BIER: Okay. Thank you.
22 MEMBER DIMITRIJEVIC: I would like to --
23 this is Vesna. I would like to add something to this, 24 because Vicki brings up the important question. And 25 this is why I make my previews come and show it, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
171 1 because this is such a complex problem because you 2 have so many different aspects.
3 Obviously, consequences, you know, they're 4 very important. And maybe they can be measured 5 through the PRA and maybe not. The PRA is not exactly 6 positioned to measure importance of the factions and, 7 you know, or you cannot really compare easily 8 transients versus impacts on the systems, components, 9 human actions. So PRA is already, if you have a 10 complex issue, how to address the consequences.
11 And then we have to decide the aspect 12 Vicki just brought, and this is what is likelihood of 13 that cyber attack, I mean, how complex is, how likely 14 it is to happen, and also what is extremely important 15 from the consequence point of view, how likely is the 16 recovery, you know, because importance of that, if it 17 ever was the same of a certain system, is how long 18 will that system be out of function.
19 So this is such a complex problem that 20 when we can really maybe through that we can just 21 really give only this very general, you know, 22 directions. But as it's being applied, we will learn 23 more.
24 I mean, you know, it is, this risk is very 25 complex and consists of multiple parts, you know, and NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
172 1 they both contribute to this side. And really, I 2 mean, you know, maybe even I really very much against 3 anything this general, this is risk-informed, this is 4 risk-informed. And we don't really know what risk we 5 are talking about. In this moment, we are just 6 learning more. So I have no any idea how to make this 7 more specific. Okay. That's it.
8 MS. LAWSON-JENKINS: We'll probably talk 9 about this a little bit more in the wrap-up. But I 10 wanted to go on to the next slide, so if, no 11 objections.
12 CHAIR BROWN: Go ahead.
13 MS. LAWSON-JENKINS: Okay. Thank you.
14 Okay.
15 So we started, as I said, updating the Reg 16 Guide in 2016. We released it for public comment in 17 2018. And we delayed the work because we wanted to 18 finish some industry initiatives and the post-19 assessment work and also the oversight program. We 20 wanted to get through the full implementation 21 inspections, which we did.
22 So we resumed the work on the Reg Guide 23 now. And we received the last comments, no legal 24 objections from OGC in July. Next slide, please, 25 Brian. Okay.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
173 1 I want to give you an idea just -- this is 2 not all the cyber security branch does. But we are 3 involved with the inspections for units, Vogtle Units 4 3 and 4. We are engaging with NRR and Region II and 5 Region IV staff who are performing digital upgrade 6 reviews. And we're talking to them and participating.
7 As we mentioned, we are engaged on the 8 Part 53 rulemaking and guidance. And some of that 9 work that they're doing may leverage what we are doing 10 in this upgrade of the Reg Guide.
11 And we work a lot with research, the 12 Office of Research and the DOE labs on different 13 technologies of things that are coming up the pike or 14 things that we see coming.
15 So it isn't a matter that the work we are 16 doing is all reactive. We do the -- you're saying we 17 wait till the inspections, and then we start looking 18 at what's been implemented all the time. That is not 19 what we're just doing. We are actually looking at the 20 development of guidance and how certain technologies 21 may be used possibly in the future.
22 I know we see websites of licensees 23 talking about some of these things such as supply 24 chain, obviously, and drones, artificial intelligence.
25 I've worked on security models, how to NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
174 1 revalidate that the equipment, the security postures, 2 what they're doing is actually effective. We are 3 actively involved in all these issues.
4 So we're laying the groundwork I guess for 5 the next revision of the document. But it is 6 important that we get this one out. It's important we 7 get this one out, because the last version of the Reg 8 Guide that was out was the original version, which was 9 in 2010.
10 I did a quick Google search for some 11 reason for the draft guidance that we put out in 2018.
12 And DOE and, what was the other one, DOE and there was 13 -- oh, NIST actually, they actually referenced the 14 draft guidance that we put out in 2018 because they 15 couldn't or didn't want to reference the 2010 version.
16 It is really important that we give, you 17 know, us, where we get it to the point that we feel 18 that it's adding value we need to get this published.
19 That's just the goal.
20 MEMBER HALNON: Kim, this is Greg Halnon.
21 It was my understanding that there's no licensees even 22 using this right now. Is that right?
23 MS. LAWSON-JENKINS: The licensees are 24 using, the current licensees, almost all of them are 25 using NEI 08-09. Okay. Both 5.71 and NEI 08-09 are NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
175 1 acceptable ways of implementing a cyber security 2 program. But they are not, as we keep saying, are not 3 identical. Okay.
4 In addition to the updates that we are 5 doing based on the lessons learned from the cyber 6 inspections, this updated guidance will be used by 7 stakeholders, including vendors and equipment 8 manufacturers. Okay.
9 If you look at the comments that we 10 received during the public comment period, some of the 11 best comments -- all of the comments are helpful. But 12 the really, really the best comments came from 13 vendors, because they wanted more guidance on how to 14 implement things, not to say you must do it this way.
15 Okay.
16 But they were very good comments. And we 17 -- you could see on some of the responses, we said we 18 accepted those comments, and we incorporated those 19 things.
20 MEMBER HALNON: So I think my 21 misunderstanding was your urgency was not for 22 licensees. It's for the vendors and supply chain 23 piece.
24 MS. LAWSON-JENKINS: And you never -- in 25 the end of the day, the guidance is valid. It will NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
176 1 not be the basis for inspections for the currently 2 operating plants. Okay.
3 But if they do digital upgrades, they will 4 probably look at the latest guidance, because the 5 guidance that was put out in 2010 won't reflect all 6 the lessons learned.
7 So it would be good to update this 8 guidance and not have the NRC's guidance still based 9 on what we knew in 2010.
10 MEMBER HALNON: Thank you.
11 MS. LAWSON-JENKINS: Okay. Next slide, 12 please.
13 CHAIR BROWN: Not quite.
14 MS. LAWSON-JENKINS: Okay. Back.
15 CHAIR BROWN: I keep seeing the wireless 16 thing pop up. What in the world are we doing looking 17 at wireless, trying to figure out how to use wireless, 18 or why not just say no?
19 MS. LAWSON-JENKINS: The staff position 20 has not changed on this. As I've said throughout the 21 presentation on a lot of things, if wireless is ever 22 introduced, there would have to be an LAR for the 23 currently operating plants, okay, to do anything.
24 The case has to be made how to do it 25 securely. And that's probably why we haven't seen a NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
177 1 lot of guidance yet on that.
2 Clearly, wireless can be done. I came 3 from the Department of Defense. We do wireless. But 4 we have unlimited resources. And you could do that.
5 CHAIR BROWN: Well, the Department of 6 Defense is, you know, is sad they did that. They got 7 hit through that source.
8 MS. LAWSON-JENKINS: Well, but, you know, 9 there are some places, when you fly in a plane you 10 have to use wireless.
11 CHAIR BROWN: No question about if you're 12 in an airplane you can't drag a wire behind you.
13 MS. LAWSON-JENKINS: So --
14 CHAIR BROWN: I'm just hoping that nobody 15 is sitting around trying to do research and figure out 16 how we can use wireless. Let the industry figure out 17 how to do that and tell us that it's good. That's --
18 MS. LAWSON-JENKINS: I agree. We should 19 be in oversight mode on that absolutely.
20 CHAIR BROWN: Yeah. Okay. That's it.
21 Thank you. You can go on now, yeah.
22 MS. LAWSON-JENKINS: Okay. I just want, 23 I want to make a clarification on something, that we 24 are doing research. We are actively looking -- how 25 can I say this?
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
178 1 I know you just said to let the industry 2 figure this out. As I kind of, as I'm trying to say 3 in this slide, we are being a little bit more 4 proactive because we don't want to be in a reactive 5 mode all the time. We need to come up and understand 6 what's coming ahead and see and try to develop a staff 7 position at the same time. So I want to be clear on 8 that.
9 While I agree we are not advocating and 10 pushing for something, we don't want to wait until a 11 decision is made that we're going to do something and 12 then it's on us to say, no, you cannot do, you know, 13 do it.
14 So we are still -- we have a research 15 office that is looking at this. They collaborate with 16 the, our group to talk about what we've seen and the 17 possible pitfalls.
18 So I don't want to get down the rabbit 19 hole on wireless. And the industry may be using it 20 for non-safety, okay, and non, you know, security 21 functions, because there's no real restriction on that 22 because there's no impact on their cyber security 23 plan.
24 But we're taking a we'll see attitude. We 25 are actively looking at this on our own because we NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
179 1 don't want to be caught unaware, and we want to have 2 our own positions when the proposal is made. Okay.
3 CHAIR BROWN: Okay.
4 MS. LAWSON-JENKINS: I do believe in being 5 proactive on some of these things.
6 So back to the timeline. Okay. So we 7 would like, okay, now that we've had this opportunity 8 to have this engagement with the ACRS to possibly get 9 this Reg Guide out for public comment in 2022, in 10 January.
11 And the reason I'm mentioning January is 12 that it would actually get it published this year if 13 we can do that. Every month that we wait it's going 14 to delay getting it out.
15 The ACRS will have another brief. You'll 16 see me again if we let it go in January before the end 17 of the year to say the final language that's in there 18 and to get a resolution before --
19 CHAIR BROWN: Okay.
20 MS. LAWSON-JENKINS: -- published --
21 CHAIR BROWN: Let me give you the game 22 plan so you'll know.
23 MS. LAWSON-JENKINS: Okay.
24 CHAIR BROWN: We are going to, as a result 25 of this meeting, we will have a full committee NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
180 1 meeting. And I think it's scheduled for December.
2 And we will prepare, I will prepare a report for, you 3 know, which gets the consensus of the committee.
4 We may have suggestions. I've made 5 comments, you know, along the way. You know, I've 6 written some stuff down there, observations, 7 suggestions, to think about.
8 And then you can, you've had suggestions 9 via the meeting. Remember there's no, they are 10 individual member's suggestions or thoughts, some you 11 might want to consider in preparation for 12 clarifications.
13 And we'll go through those in the December 14 meeting. We'll have a report. And then you should be 15 able to get it out sometime after that.
16 MS. LAWSON-JENKINS: Okay.
17 CHAIR BROWN: I think that's sort of 18 consistent with your timeline, within a few weeks 19 anyway.
20 MS. LAWSON-JENKINS: Okay. That would be 21 wonderful. Okay. Thank you. And --
22 CHAIR BROWN: Christina, was I right, that 23 we do have this scheduled for the December meeting, 24 don't we?
25 MS. ANTONESCU: Yes, sir. We do in NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
181 1 December, first week of December, the full committee 2 meeting.
3 CHAIR BROWN: Okay, thank you. All right, 4 go ahead, Kim. I'm sorry.
5 MS. LAWSON-JENKINS: No, I think -- Brian, 6 the next slide, please. Okay.
7 So basically I'm restating what I said at 8 the beginning for key messages. Everything that is 9 actually in this guidance, it isn't an academic 10 exercise. We have actually seen programs implemented.
11 We've seen what works. We've seen better ways of 12 giving -- of writing guidance. We've pulled this from 13 IAEA, from NIST. There's a lot of lessons learned in 14 here.
15 There is no change in the staff's 16 position. There are only clarifications. And we have 17 one new regulation which is the cyber security 18 notification. And the world has changed since 2010 19 and the technology and it's going to continue to 20 change. And we'd like to get this updated guidance 21 out as the basis for new guidance that will be from 22 Part 53 that they might leverage. And as I said, also 23 for the vendors to see the best practices that they 24 can incorporate and for the licensees who want to 25 upgrade digital equipment also. They can look at NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
182 1 this.
2 And I believe we have final, any final 3 closing questions and answers if anybody has any more 4 questions.
5 Brian, I think the next slide is Q&A, yes.
6 So any last questions.
7 CHAIR BROWN: Members, this is the --
8 before I go to the public comments, does anybody want 9 to add anything other than what they've already said 10 or do they want to clarify or amplify? This is the 11 opportunity before we go out for public comments.
12 MEMBER KIRCHNER: Charlie, this is Walt.
13 May I ask Kim one question?
14 CHAIR BROWN: Yes.
15 MEMBER KIRCHNER: Kim, under vu-graphs, 16 you mentioned Vogtle 3 and 4. I think you've got a 17 number of plants, too, like Limerick and others that 18 are proposing much more expansive use of digital I&C.
19 As a result of those interactions, are you 20 testing this against those reviews or interactions or 21 inspections? Because now we're in the situation with 22 those newer plants or new digital I&C. It's not --
23 I'll say it's not backfitting in dealing with it in an 24 older plant that's primarily analog, but you're now 25 seeing much more expansive use of digital. Is that NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
183 1 impacting your thinking in any way?
2 MS. LAWSON-JENKINS: We are clearly basing 3 this based on lessons learned that licensees have 4 experienced now with implementing fiber security 5 plans, so they are aware that we will be looking at 6 the impact of adding the new equipment and technology 7 to their plants.
8 There is a security control, like I said, 9 obviously, 140 controls, but there's one that's called 10 security impact analysis where the licensee has to say 11 what is the impact of adding the new features or 12 equipment to the plant and they have to have a 13 detailed analysis that shows that they looked at this.
14 I have participated or I have observed 15 factory acceptance testing, so I can see the 16 requirements that went to the developer, the system 17 developers and could see the responses that came back.
18 I will probably be participating in a site acceptance 19 testing to get an understanding of how they're going 20 to introduce the new equipment into their cyber 21 security program.
22 So we are, like I said, very involved in 23 these things. It isn't that we have a hands off and 24 don't look at it until we have another formal 25 inspection. And so they have to explain to us how NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
184 1 they understand the attacks purpose, how they 2 understand the pathways of communication paths, how 3 those are being protected and they will show that when 4 they actually implement the equipment in their plant.
5 Did I answer your question?
6 MEMBER KIRCHNER: Thank you. I was just 7 curious whether or not you were seeing, as we go more 8 digital, as I was saying -- different strategies like 9 in architecture or in hardware space to minimize 10 vulnerabilities and attack services.
11 MS. LAWSON-JENKINS: Yes. You know, when 12 it is using new technology, you're using more embedded 13 systems. You have ways. You limit the amount of 14 interaction and updates you'll have to do, the type of 15 equipment they're using for manual -- sorry, 16 maintenance and testing is very controlled, that you 17 know, and we see a lot of security controls applied 18 there and under what conditions they're being used.
19 So they are very aware of the security aspect of their 20 equipment now when maybe 20 years ago they wouldn't 21 have been. So there is thought of doing that well by 22 the systems supplier, not just the operator who is 23 going to install the equipment. They understand that 24 they need to address security earlier in the life 25 cycle.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
185 1 MEMBER KIRCHNER: I was just searching to 2 see if you were seeing, for example, design approaches 3 that are used for reactor protection systems being 4 also implemented in control or balance of plant and 5 other systems such that it's much more, how shall I 6 say, burned in software than free-form software so to 7 speak so that the device, the individual CDAs are much 8 more resilient and less vulnerable to all the issues 9 of cyber attack.
10 MS. LAWSON-JENKINS: I can't -- because we 11 -- like I say, we observed the processes that they 12 used for the secure development of the device, so 13 that's why I said we can participate in the factory 14 acceptance testing and the site acceptance testing.
15 We won't get that kind of information what you're 16 asking for which, I believe, until we actually see the 17 implementation of the equipment. Like said, that's 18 the realm we operate in, okay? For better or worse, 19 when we actually have regulatory oversight, is when 20 the equipment is actually installed.
21 And then at that point the licensee will 22 take credit for whatever changes -- whatever they did 23 for the -- in the actual system. So it would probably 24 be more clear then, so not yet because a lot of things 25 we haven't discussed yet with them. We are definitely NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
186 1 in an observation mode at this point and no formal 2 requests or answers are made at this point.
3 CHAIR BROWN: Walt, we're planning --
4 Christina, correct me if I'm wrong, right now, I think 5 Limerick and Turkey Point are planning on replacing 6 their existing analog systems with digital systems, 7 safeguards and reactor protection. I don't know the 8 extent, but that's the general. And we'll be seeing 9 those now as part of the design reviews.
10 MEMBER KIRCHNER: Yes, so maybe my 11 question -- I'll just hold these and that's probably 12 the more appropriate venue to ask these kinds of 13 questions. Thank you.
14 CHAIR BROWN: What Kim is dealing with is 15 after the fact, the systems designed and then they 16 have to deal with how the vendor took care to protect 17 it. It's a different -- they're in a different pocket 18 here.
19 Okay, I heard somebody else about to say 20 something and if you're still -- members, you still 21 wanted to say something go ahead. Hearing nothing --
22 MR. HECHT: Charlie, this is Myron.
23 CHAIR BROWN: Yes, go ahead.
24 MR. HECHT: Just a -- you made a side 25 comment back on chart 27 and I'm not sure how NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
187 1 seriously you meant it, but it's not on the chart, 2 it's based on what Kim said. But you said you haven't 3 come up with clear supply chain guidance yet.
4 There is some guidance as you pointed out 5 later in the presentation and I don't want to try to 6 find it now, but there is some. Of course, NIST has 7 a 400-page publication, 800-161, on that subject.
8 And so you come from DoD which has been 9 dealing with it for a long time. Why -- and I guess 10 the other part of it is that we do know that supply 11 chains can -- are an attack path, so the wins taught 12 us that.
13 So I guess is more needed and if so, why 14 are you not considering using available sources to 15 both do that section and if it's not needed, why not?
16 CHAIR BROWN: Do you remember which 17 section it was? You said Slide 27. That was defense 18 in depth and I'm just looking at that now and I don't 19 see supply in there.
20 MS. LAWSON-JENKINS: Go forward, Brian, 21 because I did talk about supply chain later on towards 22 the end. Keep going. There. And maybe -- two more 23 slides, keep going. Keep going. Two more. Another 24 one. Another one. There. Okay.
25 Please do look at that section and NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
188 1 Appendix C that talks about supply chain. And like I 2 said, we added information that talks about attack 3 surfaces of pathways. We can -- I think eventually we 4 need guidance and even IAEA hasn't come up with this 5 yet, guidance on supply chain. They're in the process 6 of doing that, but did not want to -- we do need 7 additional guidance.
8 I think we've provided some clarity on 9 this one and this guidance, but I'll be the first to 10 agree it doesn't go as far as I think it needs to go, 11 but because those recommendations are still in flux, 12 that was a design decision on my part. I did not want 13 to put information there that hadn't been generally 14 vetted or at least accepted by the community yet. So 15 I'd be the first to agree that we need more 16 information on supply chain.
17 And right now, like I said, the best 18 defense of supply chain is to minimize the attack 19 surface and to know what should be going on in the 20 network and be in close contact with the suppliers.
21 This has been a big issue with --
22 obviously, the supply chain is not just nuclear 23 security. It's all of the areas. But I do feel that 24 for critical infrastructure that's going to be a 25 special case. I think if we won't have the level of NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
189 1 protections, possibly we won't be at the exact same 2 level that we have in the Department of Defense 3 because like I said there's more resources and things 4 like that there where they have to be above what you 5 have in normally commercial equipment, commercial 6 grade equipment. It has to be higher than that.
7 So hopefully, CISA out of DHS for critical 8 infrastructure will start helping and leading in the 9 guidance on that, but I don't believe this will be 10 solely tied to nuclear security. It should be 11 definitely infrastructure, critical infrastructure.
12 We may get additional guidance and are working. We 13 have people involved with the guidance out of IAEA 14 also.
15 CHAIR BROWN: When you talk about supply 16 chain, do you mean qualified suppliers or are you 17 talking about replacement parts or both?
18 MS. LAWSON-JENKINS: Both, both. I mean 19 at the end of the day, any of that can affect the 20 security of your system, so we have to have everything 21 in there. Yes.
22 CHAIR BROWN: Okay.
23 MEMBER HALNON: Charlie, this is Greg. I 24 guess I'm confused. I thought that the urgency to get 25 this out was primarily for the supply chains because NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
190 1 no licensees are using it. And now you're saying that 2 we have to continue to add information for the supply 3 chain?
4 MS. LAWSON-JENKINS: Well, we have more 5 information than just supply chain. However, and I'll 6 be candid about this, this is what any guidance, you 7 won't -- it won't be finished. It will never be 8 finished.
9 Okay, there's information in here that is 10 useful currently to the vendors and the licensees who 11 might want to upgrade systems. I absolutely agree 12 that more information that can be added or should be 13 added, but there's no consensus on it yet. So that's 14 why I prefer not to add it today. But it should not 15 take candidly another ten years to get another 16 revision of this document out, not for cyber security.
17 MEMBER HALNON: Okay. Thanks, Kim.
18 CHAIR BROWN: Okay, I don't hear anything 19 else from members.
20 Christina, how does the phone line work 21 now? They're patched in? They don't have to be 22 connected. They're there now.
23 MS. ANTONESCU: They don't have to be 24 patched in. Whoever is on line from the public can 25 make a comment.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
191 1 CHAIR BROWN: Okay. All right, I'm 2 inquiring of the public right now, whoever is on the 3 line, this is your opportunity to make a comment. If 4 you would speak up, give your name, and then go ahead 5 and provide your comment and organization.
6 MR. MOORE: Members of the public may have 7 to press star-6 to unmute themselves.
8 CHAIR BROWN: Oh, okay. Thank you. I 9 hope you heard that. You might have to press star-6 10 in order to unmute yourself.
11 I don't hear anything, so we will come on 12 back. I think this kind of wraps up --
13 MS. ANTONESCU: Member Brown, I have a 14 question.
15 CHAIR BROWN: Go ahead.
16 MS. ANTONESCU: Can you let the staff know 17 what to prefer for the full committee meeting, what 18 your thoughts are, what they should present at the 19 meeting?
20 CHAIR BROWN: Well, they should present --
21 obviously, we'll have what, about two hours or two and 22 a half hours at the meeting, full committee meeting?
23 MS. ANTONESCU: Yes, about two and a half 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, yes.
25 CHAIR BROWN: Between the two meetings, I NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
192 1 think most of them -- how many members do we have? We 2 have about six members here today? Did I count right?
3 About the same. We had a few more, I think at the 4 other one.
5 I would abbreviate the first few, what I 6 call the stuff you did the last time with no more than 7 intro part of it. And then I would try to focus on 8 some of the issues we brought up on some of the 9 slides, those that didn't draw much response, you can 10 probably reduce those.
11 MEMBER HALNON: Charlie, this is Greg. I 12 suggest that you give it some thought first and work 13 through it methodically as opposed to doing it on the 14 fly. I think for two and a half hours it deserves 15 some reflection on what you want done. Just my 16 suggestion.
17 CHAIR BROWN: No, that's a good point. I 18 have some -- if anybody has got some questions or 19 items they would like to be covered, please send them 20 to me and we'll get those wrapped into the 21 presentation.
22 MEMBER PETTI: Charlie, it just seems to 23 me the obvious questions that we raised about new 24 plants and how to get those people to know that 25 there's stuff over here that's important for them to NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
193 1 consider, how did that work? To me -- I still don't 2 have in my mind don't have a clear understanding of 3 how that works. It's really not their purview and you 4 know, what's the right answer? Are we looking for 5 work around? What are the options, those sorts of 6 things. And that may require Kim's management to be 7 involved or something because their focus is existing 8 plants, but we've got this other concern.
9 CHAIR BROWN: Yes, that's the thing I want 10 primarily to be able to address. It's wired in with 11 the change to this particular Reg. Guide.
12 MEMBER HALNON: And that can could segue 13 into how they're connected with the Part 53 effort, 14 too.
15 CHAIR BROWN: And also -- yes. Because 16 the design issues are going to come up. These things 17 are complex and to me there's a number of things we do 18 in the design space that we have to do in the 19 beginning and even though we know there's all these 20 other ancillary issues that we cover by other cyber 21 security type approaches to doing things. But there 22 are certain design items we have to cover. Just like 23 we do with how do we evaluate a system relative to the 24 principal -- the framework, the principal design 25 criteria. And this gets cranked into that as well NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
194 1 because it's one of their concerns, the control of 2 access issue.
3 We can feed that back. I agree with you, 4 Greg. I've got to go back and look, but if you notice 5 the primary thrust of most of my -- most of the stuff 6 I address was how do we get to the resolution of 7 getting people not to push back during the design 8 phase.
9 MEMBER HALNON: I agree. I think if you 10 can get the transcripts, you can probably walk through 11 it and come up with a present decent list for 12 presentations' format.
13 Vicki has got her hand up, too, just to 14 let you know.
15 CHAIR BROWN: Go ahead, Vicki.
16 MEMBER BIER: Sorry, I had to unmute. I 17 would say that probably the risk-informed aspect of 18 this should be at least a little bit of time in that 19 presentation. As Vesna said, it's kind of complex and 20 sort of a work in progress or a work of art or 21 something to figure out how to do that best. So other 22 people on the committee may have good comments on 23 that.
24 CHAIR BROWN: Okay. Any others? How did 25 you phrase yours, Dave, the same thing I was talking NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
195 1 about. I'm trying to remember. I think you said 2 something that tweaked my memory and now I don't have 3 it any more.
4 MEMBER PETTI: Yes, how do we in a process 5 sense get the advance reactor folks to look at this?
6 CHAIR BROWN: Well, it's not just advanced 7 reactors. It's backfit equipment into the operating 8 plants.
9 MEMBER PETTI: Right, right.
10 CHAIR BROWN: At the design stage.
11 MEMBER PETTI: Yes, right.
12 CHAIR BROWN: Design phase I should say.
13 And ditto for operating plant backfits.
14 MEMBER BALLINGER: This is Ron. Aren't 15 the advance reactor people by definition going to have 16 to deal with the risk-informed aspect of this?
17 CHAIR BROWN: Well, you're still going to 18 have to have a protection systems. It's got to have 19 some type of instrumentation and control. It just 20 depends on the characterization of them.
21 MEMBER BALLINGER: But since risk 22 informing is a bit subjective, that's going to get to 23 be pretty important I think. No?
24 CHAIR BROWN: I don't know. I have a hard 25 time risk informing my safety protection systems.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
196 1 MEMBER BALLINGER: Yes, but that's just 2 the starting point, right? I mean it's the key point, 3 but it's a starting point.
4 CHAIR BROWN: Well, they're applying risk 5 informing to see how hard do they have to go after 6 certain quote digital assets. I mean if their failure 7 doesn't create a problem, then it's a don't care. You 8 don't do anything. If it creates a little problem, 9 then it's not much -- you do a little bit, but no 10 more. And then if it's a big problem, then you do 11 more.
12 MEMBER BALLINGER: But this implies 13 there's some kind of figure of merit, you know, people 14 have suggested using the PRA.
15 CHAIR BROWN: Yes, well a PRA doesn't 16 address what these components look like.
17 MEMBER BALLINGER: Yes, yes.
18 CHAIR BROWN: It's more of a direct result 19 of things not working or other design aspects from 20 materials or other stuff not working, whatever it is.
21 I don't want to convolute it too much.
22 MEMBER DIMITRIJEVIC: We have sort of like 23 different components, like you know, the cyber 24 security, the plant safety, I mean and all getting 25 mixed in the big pot. So I mean -- but this should --
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
197 1 I think it deserves to be discussed again.
2 CHAIR BROWN: Kim, you made the 3 observation that hey, you're all in your world and NRR 4 is in their world. And the real problem is as I think 5 we envision it, there's not a coming together on how 6 certain pieces of your world need to be addressed in 7 the design world because that's part of the equipment 8 and overall functional architecture. They're separate 9 from the stuff you deal with in the more abstract 10 cyber world.
11 I think it would be a really good idea if 12 you all and NRR would -- you know what the issue is.
13 We discussed it ad nauseam for the first hour and a 14 half of the meeting. And somehow, you all have to get 15 together. We are in between and it's -- we're kind of 16 getting hammered from both sides. And we know what 17 we're going to do from the design standpoint, the 18 certification standpoint, but it's making it very 19 difficult to get there without a lot of angst on the 20 part of the staff and thinking that they're getting 21 into other people's turf, if you want to call it that.
22 So I don't think I'm speaking out of turn, 23 but I think it would be useful if NRR and NSER would 24 -- hey, look guys, we've got an issue we're dealing 25 with. How do we help resolve this because the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
198 1 committee is going to continue to address making sure 2 there's adequate control of access, not being allowed 3 in that architecture that we have evaluated when the 4 staff presents the new design architectures and 5 frameworks.
6 MS. LAWSON-JENKINS: I want to be clear on 7 my earlier comment. I didn't -- I don't want to give 8 the impression that we don't look at the NRR 9 documentation or the recommendations or specifications 10 they put out. We do work together and one of the 11 later slides kind of alluded to that, especially on 12 things such as digital upgrades and other areas. So 13 we work with research. We work with NRR. In some 14 circumstances, we work with NMSS. I don't believe in 15 operating in different silos because as you said, 16 security can cut across all of those areas.
17 But at the same time, we have our own 18 areas of expertise. I feel comfortable talking about 19 security.
20 CHAIR BROWN: I understand that. I 21 understand that. But when we're in a design 22 certification phase and we're looking at an 23 architecture and we look for how do we prevent data 24 transmissions and other access into the reactor 25 safeguards, protection systems, and the other critical NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
199 1 safety systems that those feed or that -- and we look 2 for where are the protections from a data transmission 3 and we get pushback that they can't do it because that 4 doesn't get covered until the COL. And that's for new 5 design, you know, that's for brand new design plans.
6 The same thing is going to be similar, not quite as 7 bad for the backfits. And that's a difficulty. So 8 that's the pushback we're dealing with.
9 I would just hope that -- and they're 10 pointing at you all, not pointing -- that's the wrong 11 word. They're saying they're not allowed based on the 12 rule and I don't agree with that. I think that's 13 short sighted to say the least. That's my words, not 14 the committee's words. Recognize that, okay?
15 MEMBER PETTI: To me, my concern is that 16 the right people are at the full committee meeting to 17 address this issue. What I don't want to see happen 18 which happens all the time is that's not us. That's 19 so and so's responsibility. This is an issue that's 20 cutting across. And so it's not necessarily Kim. The 21 message back to us is get the right people in the full 22 committee meeting so that we can address this and get 23 this resolved.
24 And so it may not be you, Kim. You may 25 have to go your management. They may have to walk NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
200 1 across to NRR management, but that's one of our 2 biggest issues and we just want to get it on the table 3 and get the right people in the room, so we can figure 4 out how to get there because personally, I'm not an 5 expert, but I don't think this is a big ask. We 6 basically identified sort of a hole, if you will, in 7 the way the processes link up that we think just isn't 8 in the best interest of the Agency or the applicant.
9 And how do we put it all back together so that we 10 don't have the problems that we've identified in our 11 letters.
12 Is that fair, Charlie?
13 CHAIR BROWN: That's very good. You said 14 it exactly right. We've been dealing with this for 15 several years. We did it on AP1000. We were 16 successful on APR1400. We finally got there. And 17 NuScale, it came out okay although there was a little 18 bit of pushback, but it came out okay also.
19 But it was brutal. It was hard to deal 20 with. It was always we really can't do that. And the 21 vendor, the licensee just decided to do it anyway.
22 And once he decides, we're home free. So Dave, you 23 phrased that very, very well. Hopefully, that's in 24 the transcript.
25 MEMBER PETTI: You can take it back to NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
201 1 wherever we have to take it back to.
2 CHAIR BROWN: So he phrased that right.
3 Somehow management, you guys have to get together.
4 We're going to keep working on this and all it does is 5 cause more work for both NSER and NRR to keep having 6 to deal with this issue as it comes up from us.
7 You would see a little bit of our 8 frustration in some of the reports we've written 9 recently.
10 MR. MOORE: Member Brown, Jim Beardsley 11 who is Kim's branch chief, I believe, is on 12 representing management and he also has had his hand 13 up and patiently waiting, so you may want to call on 14 him.
15 CHAIR BROWN: I didn't see it. I'm sorry.
16 There's no hand up on my computer.
17 MR. BEARDSLEY: Thank you, Scott. I 18 actually took my hand down because I was going to make 19 the same point that was made before, that we hear your 20 concern and we understand and we look forward to 21 getting any other information you'd like to have 22 addressed at the December meeting so we have the right 23 people at the table to do so.
24 CHAIR BROWN: Okay. I have a few 25 observations or suggestions based on some stuff I saw NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
202 1 and it's similar to the one on the deny whatever.
2 That one particular thing that everybody and Kim 3 picked up on and she's going to think about. I had a 4 few comments and thoughts about how some stuff ought 5 to be I guess clarified. I'll pass those on. Those 6 are mine. They're not recommendations. They're not 7 committee things that you all can decide what you want 8 to do with them. I'm just passing them on. Those are 9 things that I think you might want to address in part 10 of the meeting as well. And I did discuss them here.
11 And then I'll think about some other 12 stuff. But Dave and Greg, they hit on -- the big 13 issue is the -- I don't want to call it confrontation, 14 the interactions on this other issue. We've just got 15 to get through this so that people are working 16 together and we're not always at loggerheads.
17 So Dave, Greg, you've got any other side 18 comment on that?>
19 MEMBER PETTI: No, you did it. Thanks.
20 MS. ANTONESCU: Member Brown, all the 21 staff and management from all the offices were invited 22 at this meeting and previous meeting.
23 CHAIR BROWN: Okay. Well, they've heard 24 it. They know what's going to it. Now they've heard 25 it again.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
203 1 All right, if there's no other -- if I'm 2 not missing anything else, I think we are done and I 3 guess have a good weekend to everybody and the meeting 4 is now adjourned.
5 No, don't go. It's not adjourned yet, I'm 6 sorry. One thing I want to make sure is clear. You 7 can take the share down.
8 I want to thank Kim for a very good job of 9 giving us the presentation and explanations, her 10 patience with our repeated questions. So I just 11 wanted to make sure that Kim understood that, that 12 this was a good session and I thought it was very 13 valuable.
14 MS. LAWSON-JENKINS: I appreciate the 15 opportunity to discuss why we have what we have in the 16 document. No, really, and I appreciate the comments 17 and your comments and input will help make it a better 18 document. Thank you very much.
19 CHAIR BROWN: Okay, Kim.
20 MEMBER DIMITRIJEVIC: Thank you, Kim. It 21 was a wonderful presentation. Thank you.
22 MS. LAWSON-JENKINS: Thank you.
23 CHAIR BROWN: All right, so with that --
24 did I miss anybody?
25 I didn't invite Michele. Did you have NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
204 1 anything else you wanted to say at the end of the 2 meeting, Michele?
3 MS. SAMPSON: No, I think Kim has so 4 wonderfully covered everything. Thank you very much.
5 We appreciate the opportunity for this meeting.
6 CHAIR BROWN: Okay, and thank you. All 7 right, see you all at the full committee meeting and 8 hopefully we'll drag ourselves through this again with 9 a little bit more clarity. So the meeting is now 10 adjourned.
11 (Whereupon, the above-entitled matter went 12 off the record at 3:30 p.m.)
13 14 15 16 17 18 19 20 21 22 23 24 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
Revision of RG 5.71 (Draft Guidance 5061)
Kim Lawson-Jenkins Cyber Security Branch Division of Physical and Cyber Security Policy Office of Nuclear Security and Incident Response 1
Overview
- Key Messages
- Background
- Updates
- Conclusion
- Q/A 2
Key Messages
- Since 2012, operating nuclear power plant (NPP) licensees have implemented cyber security programs and the NRC has implemented effective oversight of the licensees CSPs.
- No changes in staffs position, only clarifications and one new NRC regulation 10 CFR 73.77, Cyber Security Event Notifications.
- DG-5061 reflects the lessons learned since the issuance of RG 5.71 and prepares for the future.
3
Background
Cyber Security Program Timeline Licensee Interim RG 5.71 & NEI 08-09 Implementation Implementation Completed Guidance Acceptable NRC Cyber for Use Security Notification Rule Full 10 CFR 73.77 Implementation NRC & Industry agree on MS 1 - 7 10 CFR Implementation 73.54 Schedule Industrys Interim Implementation Schedule MS 1 - 7 Inspections Future 2009 2010 2011 2012 2013 2014 2015 2016 2017 Inspection Program NRC and Industry collaborative work on implementation guidance All NPPs Cyber Security
- Security Frequently Asked Questions (SFAQs)
Plans & Implementation Schedules Approved
- NEI 13-10 Assessment of Security Controls
- NRC Participation in Industry Workshops (MS 1-7) Inspection Lessons Learned RG- Regulatory Guide
- Tabletops to assess inspection procedure NEI - Nuclear Energy Institute CFR - Code of Federal Regulation NPP - Nuclear Power Plant 4
Background
The Big Picture Cyber Security Plan SSEP Perform CDA Applied To CDA functions CDA Security CDAs K Controls Knowledge of Continuously Attack Surfaces Monitored for and Pathways Effectiveness 5
Background
Milestone 1 - 7 Inspections 2013 2015 MS 1 MS 2 MS 3 MS 4 MS 5 MS 6 MS 7 Apply Establish the Implement Implement Identify Access Security Implement Observation & Ongoing Cyber Control for Controls to Critical One-way Identification Assessment Security Portable & Most
& Activities Digital Deterministic of Obvious Assessment Mobile Important Assets Device Cyber for Applied Team Devices Critical Digital Tampering Controls Assets 6
Background
Cyber Security Defensive Architecture Security / Safety Systems Site Network Corporate Network Internet One-way Deterministic Device 7
Milestones 1 - 7
- 1. Cyber Security Assessment Team
- 2. Identify Critical Digital Assets (CDAs)
- 3. Implement Defensive Architecture Most Risk 4. Apply Security Significant CDAs Controls 13
Full Program in RG 5.71
- 1. Cyber Security Assessment Team
- 2. Identify Critical Digital Assets (CDAs)
- 3. Implement Defensive Architecture
- 4. Apply Security Controls 14 14
Milestones 1 - 7 Inspections Number of Inspection Year Inspections 2013 20 2014 22 2015 21 All of the findings from the inspections were of very low safety significance.
The areas with the highest number of findings were:
- Milestone 2 - CDA identification
- Milestone 4 - PMMD handling
- Milestone 6 - CDA protection 15
Milestone 1-7 issues identified and addressed
- Deterministic Devices
- Data Integrity
- Moving Data Between Security Levels
- Treatment of Maintenance & Test Equipment 16
Timeline with DG-5061 Development Licensee Interim RG 5.71 & NEI 08-09 Implementation Implementation Completed NRC Cyber Guidance Acceptable Security for Use Notification Rule Full 10 CFR 73.77 Implementation NRC & Industry agree on MS 1 -
10 CFR 7 Implementation Full Implementation 73.52 Schedule Industrys Interim Inspections at all Implementation Schedule Licensee Sites MS 1 - 7 Inspections 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 All NPPs Cyber Security Plans &
Implementation Schedules Approved Initiated - DG-5061 in spring 2016 17 04/07/2020
OVERVIEW OF DG-5061 UPDATES 18
Updates in DG-5061 in 2018
- Clarify existing interpretation of regulations based on lessons learned from Milestones 1 -7 inspections
- New regulation since 2010
- Cyber security event notification
- New IAEA security guidance
- Commission direction regarding Balance of Plant equipment 19
Updates in DG-5061 in 2020
- Discussed Risk Informed Cyber Security
- Emphasized the need for accurate CDA assessments
- Leveraged new international standards/guidance and updated NIST guidance on cyber security
- Addressed public comments to 2018 DG-5061 20
Lessons Learned from Full Implementation Inspections 57 inspections completed from 2017 - 2021.
Insights on potential areas for improvement:
- Quality of licensee critical digital asset and system assessments
- Vulnerability assessments
- Periodicity for ongoing monitoring & monitoring of security controls.
21
Updates in DG-5061 Section Reason for Change C.3 Added text for Risk Informed Cyber Security C.3.1.3 Added Balance of Plant asset identification C 3.1.3 Added new decision points and text for identifying CDAs C 3.2.1 & C 3.3 Updated text for Defense in Depth protective strategies C 3.2.1 Updated text for Defensive Architecture for protecting functions, addressing vulnerabilities, and minimizing attack surfaces and pathways C.3.3 Updated text regarding the use of alternate controls C.3.3 Updated text to clarify the use of a consequence based, graded approach in applying security controls Background Added text stating technical controls can be incorporated during C.3.3.1 design certification C.3.3.1.1 to Text was added explaining the purpose of various technical C.3.3.1.5 security control groups Background Text was updated to cited new cyber event notification rule and 22 C.3.3.2.6 guidance
Updates in DG-5061 Section Reason for Change Background, C.3.3.3.1 Updated reference to sections of RG 1.152, Rev. 3 C.4.1 Added more examples of Continuous Monitoring; discussion of anomaly detection C.4.1.2 Added new text on using metrics for effectiveness analysis C 3.1.3, C.3.3.1.5,C.4.1, Added text regarding quality CDA assessments C.4.1.3,C.4.2.1,C.4.2.2, multiple sections in Appendix A, various controls in Appendices B & C Appendices B & C Clarification of all security controls Glossary Added new terms and definitions; clarified terms in Rev. 0 References Updated references Throughout document Editorial changes based on OGC comments, public comments, peer reviews 23
Updates in DG-5061 Risk Informed Cyber Security New to section C.3 Establishing and Implementing a Cyber Security Program Such a cyber security program can be characterized as risk-informed security in that the development and maintenance of the program makes use of risk insightsincluding threat information, the likelihood of adversary success, and the resulting level of consequences of the threatsup to and including the DBT described in 10 CFR 73.1. Establishment of a cyber security program could include the following:
- characterization of facility functions, including the identification of SSEP functions
- characterization of threats to the facility
- specification of requirements (including the CSP, the defensive architecture, and defense-in-depth methodology)
- implementation of the requirements based on consequence analyses
- validation and verification of the implementation of the cyber security program 24
Updates in DG-5061 Balance of Plant Modification to section C.3 Establishing and Implementing a Cyber Security Program The identification of CSs should include those systems, equipment, and devices that (1) perform or are relied upon for SSEP functions, (2) affect SSEP functions or affect CSs or CDAs that perform SSEP functions, (3) provide a pathway to a CS or CDA that could be used to compromise, attack, or degrade an SSEP function, (4) support a CS or CDA, (5) protect any of the above from cyber attack up to and including the DBT, or (6) are BOP systems, equipment, and devices that affect reactivity and could result in an unplanned reactor shutdown or transient.
25
Updates in DG-5061 Identification of Critical Digital Assets 26
Updates in DG-5061 Defense-in-Depth Protective Strategies New text in section C.3.2 and section 3.3 Security Controls Defensive strategy that employs multiple, diverse, and mutually-supporting tools, technologies, and processes to effectively perform timely detection of, protection against, and response to a cyber attack.
27
Updates in DG-5061 Defensive Architecture - Protect the SSEP function New text in section C.3.2.1 Functions are protected commensurate with their safety and security significance through the determination and use of appropriate security levels.
Each function is implemented by one or more critical systems. A systems allocation to a security level is determined by its associated function with the highest safety or security significance.
28
Updates in DG-5061 Defensive Architecture - Communication from lower to higher security levels (vulnerability updates)
New text in section C.3.2.1 Initiation of communications from digital assets at lower security levels to CDAs at higher security levels should be implemented on a deny-all, permit-by-exception basis, and the exceptions should be supported by a complete justification and security risk analysis.
29
Updates in DG-5061 Defensive Architecture - Minimizing attack surfaces and pathways New text to section C.3.2.1
- Applications, services, and protocols not necessary to support the design-basis function of the contained CDAs are eliminated.
- Implementation of the multiple, diverse technologies used within the plants addresses the attack surfaces and environments associated with the technologies so that the protections of the defensive architecture are not bypassed or circumvented.
30
Updates in DG-5061 Security Controls - Use of alternate controls Updated text to section C.3.3
- The various security objectives are explained in detail with examples.
- If a security control cannot be implemented, use alternative controls or countermeasures that provide at least an equivalent level of protection against the threat or attack vectors and vulnerabilities or weaknesses.
31
Updates in DG-5061 Security Controls - Consequence based, graded approach Updated text to section C.3.3
- Analysis done in support of this consequence-based, graded approach should be rigorous and repeatable by ensuring reproducibility and consistency of the applied security controls posture.
- NEI 13-10 is cited as an approach deemed acceptable for use 32
Updates in DG-5061 Technical Security Controls Updated text to section C.3.3.1
- Applicants for design certification may incorporate technical security controls as part of the nuclear power reactor.
Added text to sections C.3.3.1.1 to C.3.3.1.5
- Text was added explaining the purpose of access control, audit and accountability, system and communication protection, identification and authentication, and system hardening.
33
Updates in DG-5061 Incident Response Updated text to Background and section C.3.3.2.6
- Cites 10 CFR 73.77 Cyber security event notifications
- Updated references to incident response documents generated by NIST and DHS Cybersecurity and Infrastructure Security Agency 35
Updates in DG-5061 System and Service Acquisitions Updated text to Background and section C.3.3.3.1
- Update cites Section 2.1 through Section 2.6 of RG 1.152, Rev. 3 36
Updates in DG-5061 Continuous Monitoring and Assessment Updated text to section C.4.1
- Added more examples of continuous monitoring
- continuous monitoring of inbound and outbound network traffic and analysis of event logs;
- periodic vulnerability scans and assessments;
- ongoing verification using established baseline configurations that CDAs are being protected commensurate with their safety and security significance
- Expanded text to discuss the importance of anomaly detection 37
Updates in DG-5061 Effectiveness Analysis of Security Controls Updated text to section C.4.1.2 Introduced a methodology for defining metrics Define measurement goals and objectives as related to the security goals of 10 CFR 73.54 Define what metrics to capture and track to best measure the effectiveness of the CSP Develop strategies for generating and capturing metrics (e.g., log files, audit records).
Establish benchmarks and targets for metrics Establish a formal reporting/review/refinement cycle.
38
Assessments and Plant Assets 39
Updates in DG-5061 Maintenance of CDA Security Assessments Updated text to sections C 3.1.3, C.3.3.1.5,C.4.1,C.4.1.3, C.4.2.1, C.4.2.2, multiple sections in Appendix A, and various controls in Appendices B & C Clarified maintaining the accuracy of the security assessments throughout the CDAs product lifecycle
- Initial assessments and reviews
- Application of security controls
- Verification of security control effectiveness
- Vulnerability assessments
- Configuration management 40
Updates in DG-5061 Updates to Security Controls in Appendices B and C
- Control intent added to every security control
- Text added regarding reducing or eliminating attack surfaces and attack pathways
- Aligned with text in NIST 800-53 revision 5 41
Appendices B & C (security controls)
DG-5061 NEI 08-09 Rationale for change/difference B.1.9 Previous Logon Notification Removed Intent covered in covered in control logging/audit controls B.1.11 Supervision and Review - Access Removed Intent covered in covered in Control control logging/audit controls B.1.14 Automated Labeling Removed Removed Intent is covered in C.1.3 Media control control Labeling/Marking B.3.5 Resource Priority Removed Removed Any safety requirements for resource control control priority would have precedence.
This control is usually applicable in the design phase of a digital device.
B.3.19 Thin Nodes Removed Removed This control would be covered in the control control B.5.1 Removal of Unnecessary Services and Programs.
B.3.20 Heterogeneity/Diversity Removed Different depending on safety or control security context.
B.3.21 Fail in a known state Removed Important for security control 42
Other Changes
- Supply chain
- Removed prescriptive guidance from Appendix C.12.5 Developer Security Testing and Evaluation and C.12.6 Licensee/Applicant Testing
- Added text to evaluate attack surfaces and attack pathways
- Glossary
- References
- Numerous editorial changes 43
DG-5061 STATUS AND NEXT STEPS 44
DG-5061 Timeline Delayed work on DG for 2 years due to post assessment initiatives with industry and of the NRC oversight program 2016 2017 2018 2019 2020 2021 2022 DG-5061 released for Work resumed on DG-5061 public comment in August in August 2020 2018 Initiated - DG-5061 in spring 2016 45
Some Current CSB Work
- Vogtle 3 and 4 cyber security inspections
- Engaging with NRR, Region II, and Region IV who are performing digital upgrade reviews
- Part 53 rulemaking and guidance
- Wireless
- Zero Trust Architectures
- IEC and IAEA nuclear security work
- Supply chain, Risk Informed Security, Security Models, Artificial Intelligence 46
Estimated Timeline Task Date RGGIB issues DG for Public January 2022 Public Comment Period 2 months Update and finalize the RG - January 7 months through July 2022 ACRS brief and comment resolution 2 months Publish RG December 2022 47
Conclusion
- Since 2012, licensees have implemented cyber security programs and the NRC has implemented effective oversight of the licensees CSPs.
- No changes in staffs position in DG-5061, only clarifications and one new NRC regulation 10 CFR 73.77.
- World has changed since RG 5.71 revision 0 was issued in 2010. DG-5061 reflects the lessons learned and prepares for the future.
48
Questions 49