ML23164A152
| ML23164A152 | |
| Person / Time | |
|---|---|
| Issue date: | 05/17/2023 |
| From: | Advisory Committee on Reactor Safeguards |
| To: | |
| References | |
| NRC-2406 | |
| Download: ML23164A152 (1) | |
Text
Official Transcript of Proceedings NUCLEAR REGULATORY COMMISSION
Title:
Joint Plant Operations, Radiation Protection & Fire Protection and Digital I&C Subcommittee Docket Number: n/a Location: teleconference Date: 05-17-2023 Work Order No.: NRC-2406 Pages 1-251 NEAL R. GROSS AND CO., INC.
Court Reporters and Transcribers 1716 14th Street, N.W.
Washington, D.C. 20009 (202) 234-4433
1 1
2 3
4 DISCLAIMER 5
6 7 UNITED STATES NUCLEAR REGULATORY COMMISSIONS 8 ADVISORY COMMITTEE ON REACTOR SAFEGUARDS 9
10 11 The contents of this transcript of the 12 proceeding of the United States Nuclear Regulatory 13 Commission Advisory Committee on Reactor Safeguards, 14 as reported herein, is a record of the discussions 15 recorded at the meeting.
16 17 This transcript has not been reviewed, 18 corrected, and edited, and it may contain 19 inaccuracies.
20 21 22 23 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com
1 1 UNITED STATES OF AMERICA 2 NUCLEAR REGULATORY COMMISSION 3 + + + + +
4 ADVISORY COMMITTEE ON REACTOR SAFEGUARDS 5 (ACRS) 6 + + + + +
7 JOINT PLANT OPERATIONS, RADIATION PROTECTION & FIRE 8 PROTECTION AND DIGITAL I&C SUBCOMMITTEE 9 + + + + +
10 WEDNESDAY 11 MAY 17, 2023 12 + + + + +
13 The Subcommittee met via hybrid in-person 14 and Video Teleconference, at 8:30 a.m. EDT, Gregory 15 Halnon, Chairman, presiding.
16 17 COMMITTEE MEMBERS:
18 GREGORY HALNON, Chair 19 RONALD G. BALLINGER, Member 20 CHARLES H. BROWN, JR., Member 21 VICKI BIER, Member 22 VESNA DIMITRIJEVIC, Member 23 WALT KIRCHNER, Member 24 JOSE MARCH-LEUBA, Member 25 DAVID PETTI, Member NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
2 1 JOY L. REMPE, Member 2 MATTHEW SUNSERI, Member 3
4 ACRS CONSULTANT:
5 DENNIS BLEY 6
7 DESIGNATED FEDERAL OFFICIAL:
10 ALSO PRESENT:
11 RYAN BECHTEL, DHS/CISA 12 JORGE CINTRON-RIVERA 13 CHRISTOPHER COOK, RES 14 DOUG ESKINS, RES 15 ISMAEL GARCIA, NSIR 16 ANYA KIM, RES 17 GURCHARAN MATHARU, NRR 18 KENNETH SEE, NRR 19 DANIEL WARNER, NSIR 20 BRIAN YIP, NSIR 21 22 23 24 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
3 1 CONTENTS 2 PAGE 3 Opening.. . . . . . . . . . . . . . . . . . . . . 4 4 Introductory Remarks. . . . . . . . . . . . . . . 7 5 Cybersecurity Current Status and Contemporary 6 Threats.. . . . . . . . . . . . . . . . . . . . . 11 7 Government Interactions: Coordination 8 Between NRC/NERC/FERC and 9 Role of DOE and CISA. . . . . . . . . . . . . . . 77 10 Cybersecurity for Advanced 11 Reactors and Staff Preparation 12 for Emerging Technologies.. . . . . . . . . . . 163 13 Public Comments.. . . . . . . . . . . . . . . . 247 14 Closing Remarks.. . . . . . . . . . . . . . . . 247 15 Adjourn.. . . . . . . . . . . . . . . . . . . . 251 16 17 18 19 20 21 22 23 24 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
4 1 P R O C E E D I N G S 2 8:30 a.m.
3 CHAIR HALNON: Good morning. This meeting 4 will now come to order.
5 This is a joint meeting of the Plant 6 Operations Radiation Protection and Fire Protection 7 and the Digital I&C Subcommittee.
8 I'm Greg Halnon, Chairman of this 9 subcommittee meeting. ACRS members in attendance are 10 Charlie Brown, Matt Sunseri, Jose March-Leuba, Vesna 11 Dimitrijevic, Joy Rempe, Vicki Bier, Ron Ballinger, 12 Dave Petti, Walt Kirchner, and our consultant, Dennis 13 Bley.
14 Christina Antonescu is the ACRS staff, and 15 is the designated federal official for this meeting.
16 I believe I did see the court reporter on, 17 correct?
18 Okay, the purpose of this meeting is for 19 the staff to brief the subcommittee on the status of 20 grid reliability, in the relation to cybersecurity and 21 nuclear power plants.
22 In addition, Department of Homeland 23 Security, welcome Ryan, thank you for coming, 24 Cybersecurity & Infrastructure Security Agency, or 25 CISA, is able to provide a briefing later, also.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
5 1 This is a very important topic, one the 2 committee has been seeking more information for 3 existing programs, and potential impacts to our 4 reviews of new and advanced reactors.
5 Cybersecurity seems to be a topic of 6 discussions every day, given the advancement of 7 technology and most recently, artificial intelligence.
8 We look forward to our discussions today 9 with the various federal agencies overseeing the 10 cybersecurity of nuclear power plants.
11 The ACRS was established by statute and is 12 governed by the Federal Advisory Committee Act, or 13 FACA.
14 That means the committee can only speak 15 through its published letter reports. We hold 16 meetings to gather information to support our 17 deliberations.
18 Interested parties who wish to provide 19 comments, can contact our office requesting time.
20 That said, we've set aside 15 minutes or more if 21 needed, for comments from members of the public, 22 attending or listening to our meetings.
23 Written comments are also welcome.
24 The meeting agenda for today's meeting is 25 published in the NRC's public meeting notice website, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
6 1 as well as the ACRS meeting website.
2 On the agenda for this meeting, and on the 3 ACRS meeting website are instructions as to how the 4 public may participate.
5 No request for making a statement to the 6 subcommittee has been received from the public.
7 We reserved the entire day for this 8 meeting, however, we may not need the entire time, but 9 we do not want to leave any questions on the table 10 today.
11 We are conducting today's meeting as a 12 hybrid meeting. A transcript of the meeting is being 13 capped, and will be made available on our website.
14 Therefore, we will request that 15 participants in this meeting should first identify 16 themselves, and speak with sufficient clarity and 17 volume, so they can be readily heard.
18 All presenters, please pause from time to 19 time, to allow members to ask questions. Please also 20 indicate the slide number you are on when moving 21 around in your presentation.
22 We have the MS Team phone line audio 23 established for the public to listen to the meeting.
24 Based on our experience with previous 25 virtual and hybrid meetings, I would like to remind NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
7 1 the speakers and presenters to speak slowly.
2 We will take a short break after each 3 presentation to allow time for screen sharing, as well 4 as the chairman, as my discretion during longer 5 presentations, we may take intermediate breaks.
6 Lastly, please do not use any virtual 7 meeting features from the MS Teams to conduct sidebar 8 technical discussions.
9 Rather, contact the DFO if you have any 10 technical questions so we can bring those to the 11 floor.
12 We will now proceed with the meeting.
13 I'll ask Mr. Brian Yip, the Branch Chief of the 14 Cybersecurity Branch, Division of Physical and 15 Cybersecurity Policy, in the Office of Nuclear 16 Security and Incident Response, to make some 17 introductory remarks on today's presentations.
18 Brian?
19 MR. YIP: Thank you.
20 Good morning everybody. Again, I'm Brian 21 Yip. I'm the Chief to the Cybersecurity Branch in 22 NSR.
23 My branch is primarily responsible for the 24 regulations and oversight programs for cybersecurity, 25 for nuclear power plants.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
8 1 And we also lead the agency's engagement 2 with industry, and the interagency on cyber issues in 3 general.
4 So for this briefing today, like most 5 issues in cybersecurity, we do work closely with some 6 partners within the agency, and also the 7 interagencies.
8 So we brought in partners from NRR, and 9 also from DHS, CISA to, to give these presentations 10 with us.
11 Today we have presentations by Dan Warner 12 first from the Cybersecurity branch. His presentation 13 will kind of lay the groundwork for the rest of the 14 day, talking about the general cybersecurity posture 15 for nuclear power plants today.
16 And, then we'll move on from that. Dan 17 will also give a presentation about our interagency 18 engagement with FERC, on some of the balance of 19 planned cybersecurity issues over the past 10 years, 20 and how we resolved those issues between our 21 cybersecurity regulations and the regulations 22 established by FERC, using the NERC critical 23 infrastructure protection standards.
24 Dan is also going to talk about a bit of 25 our engagement with the interagency, when it comes to NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
9 1 cyber incident response.
2 Next, we'll have Jorge Cintron-Rivera 3 talking about the NRC's, a broad overview of the NRC's 4 relationship with FERC as it pertains to some general 5 grid protection, and balance of plan issues.
6 And then finally, in the morning we have 7 Ryan Bechtel, from DHS CISA. He's here to talk about 8 CISA's engagement with the nuclear sector, both with 9 the NRC, but then also CISA's direct engagement as the 10 sector risk management agency, and their engagement 11 with the nuclear sector directly.
12 In the afternoon session, we'll start with 13 Ishmael Garcia, our senior level adviser, for digital 14 I&C and cybersecurity.
15 He'll provide you an overview with a 16 briefing on the proposed cybersecurity approach in the 17 Part 53 rulemaking, that's now with the Commission for 18 review.
19 And then finally, we have Dr. Anya Kim and 20 Doug Eskins from the Office of Nuclear Regulatory 21 Research, to discuss some of our research activities 22 related to cybersecurity, and how their branch is 23 helping to prepare the NSIR staff to review some of 24 the novel, and emerging cybersecurity issues that we 25 see both in the near term, and that are rising.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
10 1 And with that, we can start the first 2 presentation, and I'll turn it over to Dan.
3 Thank you.
4 MR. WARNER: Good morning everybody. My 5 name is Dan Warner. I am also in the Cybersecurity 6 branch in the Division of Physical and Cybersecurity 7 Policy, in the Office of Nuclear Security and Incident 8 Response.
9 And for this first presentation, I'm going 10 to discuss the cybersecurity current status and 11 contemporary events at nuclear power plant licensees.
12 So I know many members have seen this 13 information before, so just briefly. We started our 14 full implementation inspections in 2017.
15 And basically what that was, is once the 16 rule was issued in 2009, we allowed licensees a number 17 of milestones to get the programs in place.
18 2017 is when we went and were confirming 19 they had actually implemented the program, as outlined 20 in the Regulations. And those inspections wrapped up 21 in early 2021.
22 There was a little bit of gap in the 23 beginning of 2022. We started the baseline biannual 24 inspections, and that is the program that we're 25 currently in now moving forward.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
11 1 MEMBER SUNSERI: Could you maybe position 2 that microphone a little closer?
3 MR. WARNER: Is that a little better?
4 So, the key messages for today's 5 presentation, cybersecurity controls in place at 6 nuclear power plants provide defense against attack 7 pathways of concern.
8 Programmatic controls ensure that the 9 cyber program is positioned to address the ever-10 changing threat environment, and ensuring defense-in-11 depth is maintained.
12 And the inspection program verified 13 licensee implementation of the cybersecurity program.
14 And now we are looking at maintenance for the 15 cybersecurity program, with the current inspection 16 program.
17 So, I'm going to go over a couple 18 definitions just to make sure everybody's on the same 19 page.
20 A critical system is any analog or digital 21 technology-based system in or outside of the plant, 22 that performs or is associated with a safety related, 23 important to safety, security, or emergency 24 preparedness function.
25 We typically will refer to these as SSEP NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
12 1 functions, in short.
2 A critical digital asset is a digital 3 computer, communication system, or network that is a 4 component of a critical system, or is a support system 5 asset where the failure or compromise by a cyberattack 6 result in an adverse impact to SSEP functions.
7 MEMBER MARCH-LEUBA: Just so we don't make 8 it boring -- yes, so we don't make it boring.
9 We will be interrupting you continuously, 10 especially me. In my mind, the most famous 11 cybersecurity attack, at least in my mind, was the 12 famous casino that was attacked via the aquarium 13 thermometer computer.
14 And there are no definitions that I see 15 here, aquarium thermometer, is critical system.
16 There is too much emphasis, I mean, it's 17 true that you need to protect the safe where all the 18 chips are, maybe to higher level than the aquarium.
19 But if you don't protect the aquarium, you 20 get into the safe.
21 So, by focusing and the other problem is 22 in this building, your boss and everybody else is 23 concentrated on regulations. What does the regulation 24 say. And as long as you meet the regulations, you're 25 fine.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
13 1 This cybersecurity threat is changing not 2 daily, it's changing hourly. Regulations, even if you 3 passed them last month, they're old.
4 MR. WARNER: Uh huh.
5 MEMBER MARCH-LEUBA: So this focusing, 6 especially in Part 53 on only CDAs, it scares me.
7 MR. WARNER: And I understand the concern 8 because as you said, the threat environment is ever 9 evolving, and is something that day-to-day, we don't 10 know what's coming next.
11 The focus of this presentation I think 12 actually might kind of help with that. Because 13 really, we're focusing on the attack pathways.
14 Not specific CDAs, but how are each of the 15 pathways that an adversary could use to attack a 16 system, protect it.
17 So, I can't speak much to the Part 53 18 because we'll have that later today. But hopefully my 19 presentation will at least help with the concerns you 20 have with the current fleet.
21 CHAIR HALNON: And Dan, that second sub-22 bullet under CDA, it's pretty broad when you don't 23 have a succinct definition of adverse impact.
24 Can you kind of give us a sense of the 25 range of adverse impacts? Because that kind of speaks NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
14 1 to Jose's issues that that could, depending on how you 2 define adverse impact, you could aquarium temperature 3 all the way up to you know, core melt.
4 So, in your experience, could you kind of 5 click on that letter that we're in and kind of expand 6 that for us?
7 MR. WARNER: What I'll say for this, is 8 this is not the first time that question has come up.
9 Because obviously like you said --
10 (Simultaneous speaking.)
11 CHAIR HALNON: I hope not.
12 MR. WARNER: -- adverse impact is a very 13 broad term.
14 And again, I just want to emphasize that 15 for this, I'm speaking from my own position.
16 There are a lot of areas where when we say 17 adverse impact. In my mind, it has to be broad 18 because I feel like that's the conservative approach 19 to trying to capture everything.
20 Like you said, then the problem becomes if 21 you have to try and plan for everything, how do you 22 focus on what really needs to be protected.
23 And that in general with cybersecurity, 24 that's always the question. Because like you say, 25 sorry about that.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
15 1 Like you were saying, I mean, the 2 thermometer in a completely unconnected, I mean, 3 obviously connected but unrelated system causing an 4 issue.
5 So, with the cybersecurity program, we're 6 trying to balance the ability to protect with 7 reasonable assurance from the concerns that are out 8 there, but also ensuring that as we move forward, any 9 future new attacks, threats, are able to be dealt 10 with.
11 So, I know that's not quite the best 12 answer for the question, but.
13 CHAIR HALNON: No, I think it is. I mean, 14 the answer in my mind, is that just yes, you protect 15 your critical digital assets.
16 But if you have an impact that may not 17 fall into the regulation if you will, that doesn't 18 preclude you from protecting it.
19 MR. WARNER: Correct.
20 CHAIR HALNON: So, you know, the whole 21 process we're going to talk through today with the 22 assessments and everything that was done, caused a lot 23 of the utilities and users of technology, to 24 understand better their vulnerabilities, and how far 25 that will go.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
16 1 As opposed to only drawing a hard circle 2 around things that could really affect the core. So, 3 I think that that's how I see it anyway.
4 MR. WARNER: Yes. And like I said, the 5 program really what I'm talking about today, is 6 focusing on how we're protecting the different 7 pathways, but also talking about defense-in-depth.
8 And that's one of the key components that 9 we're really using here is I mean, everybody likes to 10 use the example of the Swiss cheese. It's like 11 everything has holes in it.
12 The key is to line up the holes so that if 13 you get through one, there's something else blocking 14 you on the other side.
15 And that's one of the key components of 16 the program that we want to make sure is in place, to 17 offer as much protection as we reasonably can.
18 CHAIR HALNON: Well, we got to the third 19 slide before we jumped in there so that's actually 20 better than I thought.
21 MEMBER BROWN: No, we're not.
22 Yes, this is Charlie Brown. Are you 23 familiar with my general approach relative to the 24 reactor safety systems and safeguard systems, et 25 cetera, and the main control room, and the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
17 1 communications from systems to that control room.
2 And I guess one of the focuses I guess, 3 I've been emphasizing for numerous approaches, 4 applications we've seen, is not so much going out and 5 looking at every water fountain, and every cell phone, 6 and whatever it is. Not necessarily the cell phones 7 but the connected systems, not the ones you carry 8 around.
9 There's boundary conditions. If you focus 10 on the piece parts, you're never going to get there to 11 a closed system.
12 And the committee has always tried to draw 13 a dotted line around the main control room, down 14 through the whatever networks you have, within the 15 plant.
16 All around all the safeguards and safety 17 systems, and say everything's, there's no doors. If 18 it's a data, if you send data all you want to out to 19 NRC, out to the venders, whatever you want, it's got 20 to go through a hardware type data transmission device 21 that can't be compromised.
22 Sets aside the guy that comes into the 23 plant, which now he burrows his way in and somehow 24 gets into some piece of equipment.
25 And we've tried, we've incorporated some NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
18 1 of that thought process, also into 5.71, which is 2 pretty extensive.
3 So, I just wanted to emphasize that again.
4 I don't like, it's like trying to evaluate a reactor 5 safety system by evaluating every position, and every 6 IEEE standard, every Reg Guide. All those piece 7 parts.
8 It's the architecture that counts. So, 9 you want to boundary the architecture. And that, that 10 is hard to, that's hard to drag out.
11 When you see Part 53 and the new risk 12 informed thought process, we're, it's like a 13 crapshoot. You're just throwing everything up in the 14 air and we're going to reevaluate what's, what's 15 really necessary.
16 And maybe you don't have to follow our 17 regulations, even though they, we do have boundary 18 condition set ups.
19 I just want to emphasize that. I just 20 think the focus somewhere along this line, needs to 21 lay out as opposed to CDAs, boundary conditions for 22 overall plant electronic access, which is now just a, 23 as Jose said, it's just a terrible threat we have to 24 deal with.
25 So anyway, I'll --
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
19 1 (Simultaneous speaking.)
2 MEMBER BROWN: -- that's just another 3 thought process.
4 MEMBER MARCH-LEUBA: Yes, I mean, I was the 5 instigator for this meeting. If you didn't know, now 6 you know even though these two guys were going to ask 7 it from me.
8 CHAIR HALNON: I tried to run interference 9 for you.
10 (Laughter.)
11 MEMBER MARCH-LEUBA: Yes. But my goal here 12 is not to learn what you're doing. I'm sure you guys 13 follow regulations, and you have programs and you do 14 audits.
15 And but there's some ideas in your mind 16 that maybe there is something else we need to discuss.
17 I personally, my wife has a company and 18 I'm her IT tech. So, I'm there trying to protect her 19 from, from the bad guys.
20 And if you concentrate on ransom ware and 21 you back up, and you back up, or you back up, I have 22 back ups of older files in different states. I'm not 23 connected to the Web.
24 But you concentrate on that, and then 25 suddenly they go and they steal your Coca-Cola files NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
20 1 and sell them to Pepsi.
2 So if you put all your eggs into the don't 3 encrypt my files, they'll attack you somewhere else.
4 And I'm concerned that because of regulation, because 5 our mission is to protect the safety, the nuclear 6 safety of the reactor, we may be making the utilities 7 spend too much money on that.
8 So, they even get the false sense of 9 security that they're protecting the safety very well.
10 And they're not protecting that other thing that 11 they're going to get attacked on, because they don't 12 have enough budget in the program to do the other 13 things.
14 And one thing that came up into our mind 15 when we reviewing this recent reactor, SHINE, it's a 16 facility to produce molybdenum-99 for, for hospitals.
17 It came to my realization and I some 18 members agree with me, that the SHINE reactor is more 19 safe when it's running, than when it is not.
20 If you shut down the molybdenum producing 21 great isotopes for medical production, you kill more 22 people statistically, than if you keep it running.
23 So, we put all our eggs in the basket of 24 make sure the reactor stays running.
25 So, there is more than one goal that you NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
21 1 need to, and you have to be in a generalist. I'm 2 scared to death.
3 MR. WARNER: I understand the concern. I 4 was actually part of that SHINE ACRS meeting, because 5 I reviewed the cybersecurity for SHINE. So, I 6 understand where this is coming from.
7 What I will say is the agency mission, I 8 don't know at least for existing power reactors 9 obviously, isn't really interpreted that way.
10 We are protecting public health and 11 safety, and that's from the use of the material 12 itself.
13 I don't know how much I can provide about 14 the production aspect of --
15 (Simultaneous speaking.)
16 MEMBER MARCH-LEUBA: Yes, and remember that 17 this is an open, open meeting. So let's, yes.
18 CHAIR HALNON: We tried to design this 19 meeting to start with the basics, and to spread out 20 into the rest of the world so that we could try to 21 encompass that.
22 I don't know if we're going to get all of 23 it because it kind of sometimes, we may go outside of 24 our mission.
25 But as we go through the day, and Dan NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
22 1 we'll let you put your wheels back on here on your 2 presentation in just a second, hopefully you'll find 3 other areas that your can interject some of the wisdom 4 that you've --
5 (Simultaneous speaking.)
6 MEMBER MARCH-LEUBA: Sometimes the ACRS 7 value is to provide ammunition for the staff to do 8 their job, or an incentive for the staff to do their 9 job better.
10 Give you guys ideas on what, oh, gee, I 11 wasn't doing that. Instead of us complaining about 12 paragraph 3.2, or this or that.
13 Okay, I will promise to leave you off for 14 two more slides.
15 MR. WARNER: All right, thank you, 16 appreciate it.
17 CHAIR HALNON: Thank you.
18 Dan, go ahead.
19 MR. WARNER: And just to confirm, we are on 20 slide 5 at the moment.
21 So, I wanted to kind of go over the 22 different types of CDAs that are part of the controls 23 that we'll find in the power plants.
24 So we have emergency preparedness CDAs, 25 which are those CDAs associated with EP functions, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
23 1 that do not have an independent and diverse alternate 2 method to perform the EP function.
3 And those will have to have either the 4 baseline controls, or a full, direct CDA assessment 5 with controls in place.
6 There are bounds of plant CDAs, where 7 those added to the cybersecurity rule scope during the 8 resolution of FERC Order 706 bravo.
9 And these will be addressed in, actually 10 in the next presentation. We'll go into more detail 11 on those.
12 Then we have indirect CDAs, which are 13 those that cannot have adverse impact on safety or 14 security functions, prior to detection compensation, 15 or compromise of failure was implemented.
16 And those get the baseline cybersecurity 17 controls, and I'll be discussing what those are in the 18 next slide.
19 And then anything non-assessed as indirect 20 VOP or EP as direct, and then they get a control 21 assessment, and that's where you determine what 22 controls need to be applied.
23 Next slide, please.
24 So, the baseline cybersecurity controls 25 listed here, for EP indirect and BOP SCRAM/Trip CDAs, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
24 1 they must be located within the protected area or the 2 vital area, or have the NEI 0809 section echo 5 3 controls applied.
4 No active wireless internet communication 5 on CDAs, or any interconnected asset. CDA and 6 interconnected assets are air gapped, or isolated, by 7 a deterministic device.
8 Portable media use is controlled. Changes 9 to CDAs are evaluated and documented, prior to 10 implementation.
11 And then CDAs or interconnected equipment 12 affected by the compromise of CDAs, are periodically 13 checked to ensure that they can perform their intended 14 functions.
15 And there's ongoing monitoring and 16 assessment that's performed, to verify baseline 17 security criteria remains in place.
18 MEMBER BROWN: Did you say no wireless, no 19 active wireless internet communication, yet on the 20 next slide you, couple of slides later you said gee, 21 you have to evaluate all the wireless.
22 That seems to be an oxy.
23 MR. WARNER: So, kind of --
24 (Simultaneous speaking.)
25 MEMBER BROWN: That's not a negative NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
25 1 comment about.
2 MR. WARNER: Right, right.
3 MEMBER BROWN: It's an observation.
4 MR. WARNER: Understand.
5 MEMBER BROWN: Don't take that the wrong 6 way.
7 MR. WARNER: Yes. So, what I will say is 8 that you cannot have an active wireless connection on 9 a CDA, or something directly connected to it.
10 We're currently doing evaluations on 11 wireless, and will have more discussions in the 12 advanced reactor section this afternoon.
13 But what we've kind of heard is the 14 potential is basically have a separate set of like 15 wireless sensors monitoring equipment, that prevent 16 operators from having to go into contaminated or high 17 rad areas as often.
18 So they would be independently installed.
19 And they can discuss more later, but the actual CDAs 20 are not allowed to have wireless --
21 MEMBER BROWN: They could have a wired 22 connection coming out to wherever you want to monitor, 23 as opposed to a wireless, and that still prevents 24 people from having to go into a contaminated, or high 25 radiation area.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
26 1 There are ways to solve that without 2 giving in to the mantra that we love wireless and it's 3 the sweetest thing that ever walked, you know, into 4 the plant.
5 I'm very, if it hadn't been clear in other 6 meetings, I have no, I am not a friend of wireless 7 anywhere inside the plant.
8 MR. WARNER: And that is something that we 9 are also very concerned about. There's a lot of 10 evaluation going on about that because we also are 11 concerned, and want to make sure that if it's 12 implemented, it's implemented safely and won't impact 13 the cybersecurity program.
14 MR. BLEY: Dan?
15 MR. WARNER: Yes.
16 MR. BLEY: This is Dennis Bley. Your third 17 bullet is very clear. CDAs and interconnected assets 18 are air gapped, or isolated by deterministic devices.
19 This isn't so much a question for you as 20 for the digital guys when we talk later. We've had a 21 little trouble being able to say essentially, the same 22 thing.
23 And I'm, this is a requirement for cyber 24 so maybe we'll talk about that some time later, but 25 thank you.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
27 1 MR. WARNER: Yes.
2 MEMBER MARCH-LEUBA: Yes, two things. I 3 mean, we're not going to let you go, we can hold you.
4 MR. WARNER: I'm prepared for it.
5 MEMBER MARCH-LEUBA: And most people enjoy 6 when they're sitting in your seat, when there is more 7 interaction of the, bless you, instead of yes and 8 reading your prepared slides. It's far more fun.
9 So, I disagree with my esteemed colleague 10 Charlie on the wireless.
11 MEMBER BROWN: I knew that, that's why I 12 let Jose object first.
13 MEMBER MARCH-LEUBA: You need to protect 14 against attacks by both wireless, and non-wireless.
15 Because that aquarium is on the cable.
16 So the attack came through, through a 17 corporate wire. So, you need to make sure that all 18 your pathways, which you're going to get into, are 19 protected.
20 I'm going to bring it now. Just a moment 21 ago, I check with the NIST CVE database, it's the 22 vulnerability database. It has 200,000 known 23 vulnerabilities. Those are the known ones.
24 And I check the last three months, how 25 many have been reported on virtual private networks, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
28 1 VPNs. Twenty-seven in the last three months.
2 If we continue at the same rate that every 3 time I put this on the record, every three days 4 somebody discovers a vulnerability with a VPN.
5 And everybody say oh, I have a VPN, how 6 can somebody break into it. Well, let me tell you.
7 We have a VPN right here inside this building, and I 8 personally detected an intrusion inside of the 9 building.
10 I mean, there was something running 11 sideways trying to infect my laptop.
12 I shut it down and ran to the phone. I 13 call IT and they say huh?
14 MR. YIP: Excuse me, we shouldn't talk 15 about vulnerabilities on an open.
16 MEMBER MARCH-LEUBA: This is not a 17 vulnerability.
18 So, this has happened. It happened 19 through the wire. So, just, just to put a little bit 20 of the scare of, on your, on you.
21 I mean, this is very difficult to control.
22 Have to be on your toes.
23 MR. WARNER: So, like I said, we're going 24 to look at the different attack pathways, and just go 25 through a sampling of controls that protect each of NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
29 1 those attack pathways.
2 And the attack pathways we are going to 3 look at are physical access, wired connectivity or 4 communications, wireless connectivity or 5 communications, the supply chain, and then portable 6 media and mobile devices, which we shortened to PMMD.
7 So, physical access ensures only the 8 appropriate personnel are able to interface physically 9 with a CDA.
10 Some of the controls that help protect are 11 access control policies and procedures, account 12 management, access enforcement, which is basically 13 just enforcing your access control policies and 14 procedures.
15 Physical access controls, such as locked 16 cabinets, USB port blockers, least privilege. Just 17 making sure that the person's account is using the 18 least necessary amount of privileges, to be able to do 19 the work performed.
20 And then logging. So everything that's 21 being done. Whether it's accessing keys, accessing 22 cabinets, or actually logging into devices, is 23 monitored and identified.
24 CHAIR HALNON: Dan, just recently, we've 25 had you know, in the news confidential information NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
30 1 leak from someone who was in an IT department.
2 IT folks typically have wide ranging 3 access because of their need to get throughout, 4 throughout the systems.
5 Is that covered under some of these 6 bullets, like account management and other things?
7 Are the IT people held to a higher standard of 8 background check, and physical access?
9 MR. WARNER: Yes, so licensees have an 10 insider mitigation program because obviously, one of 11 the most dangerous attacks you can have is an insider 12 who actually knows your system, is coming in and 13 messing with it.
14 So, the insider mitigation program ensures 15 that only those allowed have the access levels, and 16 they have the background check.
17 And then also if you're able to access 18 CDAs, you have to go a step further and be in the 19 critical group, which has further restrictions and 20 background checks, to make sure that the people who 21 are accessing your most sensitive equipment are those 22 that are most trusted.
23 So, wired access controls ensure only the 24 appropriate personnel are able to interface with the 25 CDA, using a wired network.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
31 1 Some of those controls are, you can see 2 below. I mean, we've got the first six are 3 essentially the first ones that we had for the other 4 one. You see those frequently.
5 Network access control. Basically making 6 sure that what's on the network, is what's supposed to 7 be on the network.
8 Any open or insecure protocols are not 9 allowed and blocked, to ensure they're not able to be 10 used to bypass security controls.
11 Insecure and rogue connections are 12 constantly being monitored and searched for, to ensure 13 that none are on the network.
14 And then use of external systems is 15 restricted so that any information that's flowing, 16 it's through a protected device like the data diode.
17 MEMBER MARCH-LEUBA: Your regulations are 18 not written too constrictive. They don't force you 19 into an old technology, right?
20 I'm thinking right now everybody's moving 21 to what they call pass keys, to replace passwords.
22 And I hope our regulations do say you're required to 23 have a password, and you allow pass keys.
24 Just keep that in mind that by writing a 25 prescriptive regulation, you might lock yourself into NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
32 1 an old technology.
2 And in this area, all technology is three 3 months old.
4 MR. WARNER: Yes, and the regulation is 5 like all, most of our regulations, are written at a 6 fairly high level.
7 That's one of the reasons in the IO 809 8 and Reg Guide 571 were developed to be able to provide 9 so much more detail on how to implement the actual 10 regulation itself, so.
11 And then in addition to all the previous 12 controls, wireless access controls ensure the 13 implementation of adequate protection and procedures, 14 to minimize the cyber risk associated with the use of 15 wireless technologies.
16 Some of those controls include only 17 allowing wireless access through a boundary security 18 control device, such as a firewall.
19 Prohibiting use of wireless for CDAs 20 associated with safety related and important safety 21 functions.
22 Disabling wireless when not used. And 23 then conducting scans for employing a wireless 24 intrusion detection system for any unauthorized 25 wireless access points, and disabling them if they are NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
33 1 discovered.
2 MEMBER BROWN: The disabling of the 3 wireless when not used, is that a physical, I mean, or 4 is software? Because anything that can be disabled, 5 the software can be re-enabled.
6 MR. WARNER: Right. In most cases, it is 7 software based. So, you would have to go in and 8 disable it.
9 There's a lot, big push both in the 10 general critical infrastructure and where you're 11 looking at here, the agency, for zero trust.
12 And part of that is basically that devices 13 are secure by default, which would mean that like 14 anything that would potentially allow extra access 15 like wireless, would be disabled upon the vender 16 shipping out the part in the beginning.
17 And that's to help for when people maybe 18 don't check all the settings, and don't turn off what 19 they need to turn off, so.
20 MEMBER BROWN: So it's disabled by 21 software, then it can be re-enabled by software.
22 MR. WARNER: That is correct.
23 MEMBER BROWN: So, that's kind of a 24 useless.
25 MR. WARNER: You can say that, but at the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
34 1 same time, I mean, most of these you have to be 2 physically at the device, or physically connected to 3 the device to be able to flip that switch.
4 With the insider mitigation program, the 5 access authorization program, with the physical 6 security controls in place, with the architecture 7 defense-in-depth, there are a lot of barriers that 8 would prevent that switch from being placed.
9 MR. YIP: And if I could, that's also one 10 of the reasons why we require periodic baseline 11 configuration audits for CDAs.
12 To ensure that the settings that were 13 initially put in place, are, are maintained throughout 14 the life cycle of the CDA.
15 CHAIR HALNON: That was Brian Yin. When 16 you jump in there Brian, make sure you say your name.
17 So I'm going to ask, Charlie, are you 18 finished because I have Vicki, and then Walt's online 19 who has a question.
20 Okay, Vicki?
21 MEMBER BIER: Okay, I'm actually going to 22 sound a lot like Charlie on this question.
23 Disabling wireless when not used, I guess 24 I have a couple of questions. First of all, is that 25 something that could be automated, or is that a NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
35 1 procedural control where the person has to remember 2 oh, I'm done with this task, now I should disable?
3 MR. WARNER: I mean, it's procedural. I 4 mean, it's going to have to be done by somebody.
5 MEMBER BIER: Yes.
6 MR. WARNER: But once it's turned off, it 7 should stay off.
8 MEMBER BIER: Yes.
9 CHAIR HALNON: Unless somebody actually 10 turns it back on. So, it just needs to be done.
11 And that would be part of the process when 12 procurement is done by the licensee, and then the 13 actual it's tested, and then installed.
14 They do have to do like Brian said, the 15 baseline configuration in the very first place so they 16 know what they have installed and everything.
17 And part of that should be verifying that 18 your wireless is disabled, if it's part of the 19 component.
20 MEMBER BIER: Yes. Because I just worry 21 that procedural controls are known to not be very 22 robust.
23 And if you can't do it, it's a lot harder 24 to do than if you can mess up and you're supposed to 25 not mess up.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
36 1 I guess the other thing is how much 2 flexibility is there, or just finding another way to 3 do it that doesn't require wireless in the component?
4 You know, are there functions that really 5 depend on that, or is that just a choice of 6 convenience, or whatever for the designer?
7 MR. WARNER: To my knowledge, there is not 8 active wireless being used within the plants.
9 Definitely not within the actual, the higher security 10 levels that are behind the data diode typically.
11 MEMBER BIER: Okay.
12 So this is conceptually a possibility, but 13 to your knowledge, people are not currently relying on 14 this option?
15 MR. WARNER: Right, because we're still 16 working with industry to try and figure out how vested 17 --
18 MEMBER BIER: Okay, thank you.
19 CHAIR HALNON: And just remind everybody, 20 the techniques are unknown to us, because our security 21 program, physical security programs, have been using 22 these for a while on the laptops and whatnot that they 23 use.
24 Walt, you're online. Go ahead.
25 MEMBER KIRCHNER: Thank you, Greg.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
37 1 Good morning everyone. Dan, one of my 2 questions would be the following. On your second sub-3 bullet under applicable controls prohibiting use of 4 wireless for CDAs associated with safety related.
5 That part I see as relatively 6 straightforward, at least determining which are in 7 that category because safety related typically is the 8 reactor protection system, engineering safeguard 9 systems, passive systems like the primary coolant 10 pressure boundary, et cetera.
11 Important to safety gets into the 12 probabilistic world actually, in my mind. Or maybe 13 that, that definition becomes, or that terminology 14 comes from that word.
15 To what extent are you using PRA 16 techniques to really examine vulnerabilities? Because 17 I'll just, I'll come up with a set of systems that I 18 think can be very important to safety for many 19 designs.
20 And, it would be something like feed water 21 control because you can use that to, to remove decay 22 heat.
23 So, how do you draw the boundary, and how 24 do you systematically search for what functions are 25 important to safety?
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
38 1 MR. WARNER: That's a tough one. I come 2 from the digital I&C world before I came into the 3 cybersecurity, so I know how when you start talking 4 important to safety, the definitions get a little 5 nebulous.
6 So basically, anything that's going to be, 7 okay. So, as part of some of the changes that were 8 made with the NEI guidance documentation, safety 9 related, important to safety did have some changes 10 that were done.
11 And, I think the real primary part of that 12 was because licensees were overly conservative in how 13 many assets they were kind of lumping into that 14 category.
15 I will be perfectly honest, I'm not as 16 familiar with the actual changes that were made. So, 17 that is a concern.
18 Obviously, licensees tend to be more 19 conservative because it's better to have too many 20 CDAs, than not have the appropriate CDAs bounded.
21 Yes, so I don't know if I'm really able to 22 answer your question.
23 MR. YIP: And, this is Brian Yip. If I 24 could, I think that the short answer would be we 25 recognize the same, same challenge that you just NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
39 1 identified that important to safety is not as clear 2 cut as safety related.
3 And the staff did do a review of the 4 Nuclear Energy Institute's document NEI 10-04, 5 revision 3, which we just proofed for use about a year 6 ago.
7 A part of the discussion and the reason 8 for revising that document by NEI, was to address and 9 provide additional guidance on important to safety.
10 So I don't know that we can get into the 11 specific details of it without having it in front of 12 us, but just to say that was something that we 13 considered and addressed in recent guidance changes.
14 MR. WARNER: Thank you, Brian.
15 MEMBER KIRCHNER: Well, let me if I may, 16 just Greg, elaborate with a few examples. I mean, for 17 many, many reactor concepts as well as plants, your 18 ultimate heat sake is certainly important to safety.
19 And so you get into a large swath of the 20 balance of plant so to speak. And, then you have the 21 dilemma that much of that part of the plant can be 22 compromised by wireless, or internet connections, and 23 so on.
24 So, I'm just concerned there because 25 important to safety can be a lot broader class, or NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
40 1 swath of a power plant than, than more readily, not 2 easily, readily determined safety related functions.
3 Just an observation.
4 MR. WARNER: Thank you.
5 CHAIR HALNON: Thanks, Walt.
6 Charlie?
7 MEMBER BROWN: I want to segue back to, not 8 to the what I said before; different, different, 9 slightly different subject.
10 A lot of controllers now, you know, for 11 pumps, valves, et cetera, et cetera, were moving away 12 from relays and contactors and stuff like that, to 13 programmable logic devices.
14 You can argue whether throwing in a 15 software based PLD is a good idea, or not. The other 16 one was a coil, the contacts closed and it worked.
17 Now you've got all kinds of stuff. But 18 the argument generally is that you can monitor that 19 component much better if you can get data on whether 20 it's currents are changing, is it overheating. It's 21 doing a lot of different things.
22 Then we get into the world that we just 23 finished with, the commercial dedication of some of 24 these programmable logic devices.
25 So now it's another step down the path on NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
41 1 the, what did I call it, the 1E, or NQA type 2 certification via NRC standard.
3 That's just another layer of these things, 4 of having to deal with. But that's a more complex 5 issue.
6 And is there anything in your all's world 7 where you're starting to look at how these are being 8 used, and how they work into this not necessarily 9 wireless even connected because it doesn't really 10 matter which, which one you do.
11 MR. WARNER: Yes, I mean, FPGAs are 12 obviously starting to be used in a lot of the newer 13 designs. That's a concern along those lines.
14 MEMBER BROWN: But FPGAs are almost, once 15 you program it, depending on what type of device you 16 store it from the FPGA.
17 But if it's a volatile FPGA, you have to 18 reboot it every time you lose power. You're setting 19 yourself up to having something happen under those 20 circumstances.
21 If it's a non-volatile FPGA, once you 22 program it, theoretically, I'm not a programmer, okay, 23 I'm not a designer, you can't go in and change where 24 those, those various logic units are switched on and 25 off.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
42 1 That's the theory.
2 MR. WARNER: Yes.
3 MEMBER BROWN: I used to block stuff with 4 having a UV-type where you, they weren't e-squared 5 like accessible whether they're FPGAs or anything 6 else. And, that's pretty good.
7 Once you UV it, you can't touch them from 8 a programmable read only memory.
9 Anyway, the PLD starting to me after our 10 last rounds, when you can see them, people wanting to 11 back some of those.
12 And they're not in the plants now, but 13 they may want to for plant monitoring and reliability 14 assessment. Particularly as they get older.
15 CHAIR HALNON: Yes, and as we get into the 16 part, the afternoon session, I think we're going to 17 dig into this wireless since the trend is to go more 18 wireless, and more automated, we're going to dig into 19 this.
20 And I think a lot of these comments on the 21 wireless are probably more appropriate for the 22 research and other folks.
23 MEMBER BROWN: I'll wait.
24 CHAIR HALNON: Well, but that was my way of 25 saying to Charlie, wait, but I was trying to be more NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
43 1 professional than just yell it.
2 (Simultaneous speaking.)
3 MR. WARNER: What I will say, and that's 4 kind of the, what we wanted to emphasize with this 5 presentation.
6 Technology is obviously ever-evolving.
7 Nuclear plants are way behind everybody else who's 8 been using these newer devices for many years.
9 But as far as cybersecurity goes, 10 especially since I've been involved with some of those 11 critical infrastructure activities coming out of CISA, 12 I think we're ahead of the game.
13 Part of that is because we're really, 14 besides all the controls, checking baseline 15 configurations, ensuring that vulnerabilities are 16 identified and mitigated, we're also protecting the 17 pathways that ensure that hey, if somebody can't get 18 to the devices that are of concern, then they can't 19 mess with it.
20 So, it's belts and suspenders because 21 making sure, and that's the whole point of the 22 defense-in-depth.
23 So I understand where the concerns come 24 from because we obviously we're getting reports, 25 seeing all this stuff coming out about the new threats NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
44 1 and vulnerabilities.
2 So, we have to make sure they're 3 protected. That's what we, in the firms do.
4 MEMBER BROWN: To me, it's nice to see, I 5 remember 10, 12 years ago when I first got here and I 6 addressed the data diode hardware based. It was not 7 received very gently in terms of the need for that 8 type of stuff.
9 And now, I see you know, if you go back 10 several slides you emphasize the deterministic 11 isolation values, the hardware based stuff.
12 Air gaps are really becoming into play, 13 which so maybe all that political palaver that we went 14 through 10 years ago and on, ongoing over the last few 15 years, is starting to pay off. So good to see that.
16 CHAIR HALNON: Exactly.
17 So then the next type of pathway we're 18 going to talk about is the supply chain. So, supply 19 chain controls ensure that cybersecurity risks 20 throughout the supply chain are identified, assessed, 21 and mitigated.
22 And some of those include policies for 23 systems and services acquisition, supply chain 24 protections, trustworthiness, basically ensuring that 25 the, from the development of the device to the time it NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
45 1 was delivered onsite, that the device is protected and 2 you're sure that the, you're getting what you ordered.
3 Developer security testing and evaluation, 4 and then licensee applicant testing. Basically do, 5 have the developer do their testing, and then when you 6 get the device, you do the site acceptance, and 7 factory acceptance testing to ensure that what you got 8 is what was ordered, and what was you were told.
9 CHAIR HALNON: And, is what we learned 10 about the counterfeit issue intertwined in all those?
11 MR. WARNER: Yes. The counterfeits are 12 obviously a big concern. And then part of this is 13 definitely making sure that you are getting legitimate 14 components.
15 MEMBER BIER: Are there any restrictions or 16 requirements regarding country of origin for 17 components?
18 MR. WARNER: I don't know.
19 MEMBER BIER: Okay.
20 MR. WARNER: I have not delved too much 21 into this.
22 MEMBER BIER: All right.
23 MR. WARNER: So, I don't want to answer 24 that question.
25 MEMBER BIER: Yes.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
46 1 MR. WARNER: That's something that I can go 2 back and ask.
3 MEMBER BIER: My guess is no, but it would 4 be nice to know if you know, what the true situation 5 is.
6 The other thing on acceptance testing, 7 it's unclear to me how far that goes, because 8 acceptance testing can verify that the component does 9 what it's supposed to do in it's intended application.
10 But I'm not sure how one would acceptance 11 test for kind of hidden code, that can be activated 12 under the right circumstances. It's really hard to 13 know what's in that black box when you test it, so.
14 MR. WARNER: And that's one of the reasons 15 when we have vender inspections, and ensuring that the 16 venders are trustworthy. There are a secure 17 development and operational environments in place.
18 A lot of that's more on the digital I&C 19 side than here in cyber, but that is definitely a 20 concern.
21 And when you're doing your site acceptance 22 testing, it's important to test what you're supposed 23 to have, but also test what you don't want, so.
24 MEMBER MARCH-LEUBA: Yes, put this little 25 bug in your head. You guys are familiar with legacy NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
47 1 APIs where you -- code and you put an include, and 2 there goes something that a graduate student wrote in 3 1972, and it's still being carried on.
4 And the order attack similar to this, is 5 when you have included code, and goes and gets it 6 automatically from a get hub.
7 And bad actors have gone to the get hub 8 and put a newer version on top of the old one, so 9 they, you just flipped it for them and send it to the 10 power plant.
11 So, we have to be careful. There are so 12 many ways to get in.
13 MR. WARNER: Yes, but I will say if a 14 licensee is going to get hub to get updates for a 15 device instead of going back to the vender, that's a 16 problem.
17 And that's something that they shouldn't 18 be doing just as a company doing smart business.
19 MEMBER MARCH-LEUBA: I need to send you a 20 study they made on the Israeli company that gets into 21 iPhones, how they got into the iPhone.
22 I don't know if you've read it, it's 23 really interesting. It's incredibly sophisticated.
24 And, they using a grad student work from '99 is to do 25 that.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
48 1 MR. WARNER: Yes.
2 MR. BLEY: Hey, Dennis Bley again. Charlie 3 brought up commercial dedication. We went through 4 that a lot with the I&C folks a while back.
5 My memory's not complete on that, but a 6 lot of the things such as monitoring at the factories 7 kind of goes away when you have commercial dedication, 8 I believe.
9 Have you folks in cyber, are you in sync 10 with what's been going on on the I&C side for, for 11 that issue?
12 MR. WARNER: So, no, that would typically 13 reside again in the digital I&C realm. I mean, we're 14 more concerned on the cybersecurity side that once 15 it's installed, protecting pathways, and ensuring 16 it's doing what it's supposed to be doing.
17 But when you get down to the commercial 18 grade dedication, that's kind of our of our purview.
19 MR. BLEY: Yes, but I, but if something 20 goes wrong through that path, it will be back in your 21 purview. So, it seems there ought to be some 22 coordination on that issue.
23 MR. WARNER: And there is. We do have some 24 interaction with the I&C branches in NRR. In fact, 25 we've got some members here that I hope for the next NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
49 1 presentation.
2 So, there is coordination. Doesn't mean 3 that never is there opportunities for more.
4 MR. BLEY: But I guess what I'm getting at, 5 some of the, some of the things that are routine to do 6 from the cyber side using the previous sources, kind 7 of disappear I think, unless I'm missing something 8 when you go to commercial dedication.
9 Maybe some of the other guys can talk 10 about that later.
11 CHAIR HALNON: Yes, if we don't pick it up, 12 Dennis, reinvigorate the question.
13 Walter, you're online, go ahead.
14 MEMBER KIRCHNER: Thank you, Greg.
15 Dennis asked a more detailed version of my 16 very same question. This all looks a lot, you know, 17 the drive, the desire, let me back myself up.
18 At a very high level, there's certainly 19 the economic factors, particularly this afternoon if 20 we talk about advance reactors, that were, they want 21 to partition systems and limit the, the number of 22 quote/unquote safety related systems in a sense as 23 they used digital I&C, they're going to want to limit 24 the number of critical digital assets.
25 But this list of applicable controls looks NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
50 1 a lot like NQA-1. Which we hear a lot of pushback on 2 because of economic reasons, not necessarily others.
3 What kind of, as Dennis pointed out, if we 4 go to commercial dedication and sources, yes, what 5 kind of controls or quality assurance regime are 6 these, these, is the supply chain going to be 7 monitored under?
8 MR. WARNER: I mean, so as part of the 9 inspection process when we're onsite, we're looking at 10 the commitments that the licensee has made in their 11 cybersecurity plan.
12 And then we are also looking at policies 13 and procedures that they have in place, to ensure that 14 they're addressing those commitments.
15 As part of that, there are supply chain 16 procedures and policies that we'll look at, see how 17 they're being implemented.
18 And then determine if we feel that they're 19 meeting the commitments they've made, in their 20 cybersecurity plans.
21 So, we make sure that they are ordering 22 them in a manner to ensure the appropriate controls 23 are in place.
24 That they're stored. That they're, when 25 they're accessed, they're necessary. Making sure that NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
51 1 the protectors are in place.
2 Or they're tested to ensure that the 3 device is what they want to install, and that it's got 4 all the necessary controls in place.
5 And I know that really does kind of 6 dovetail what's really done on the procurement just on 7 the engineering side.
8 But yes, we tend to focus more on the 9 security controls, as opposed to security development 10 and ensuring that the site acceptance testing was 11 performed, and the engineering side of things.
12 CHAIR HALNON: So, Dan, more specifically, 13 the question and I want to try to help to answer here.
14 In the process of the utility developing 15 an approved suppliers list, ASL, the cyber controls 16 and stuff that you have in the cyber plans for 17 approving a supplier includes the requirements of the 18 cyber trustworthiness, and material testing, and those 19 types of things, as well.
20 So, it's not like you have an approved 21 supplier and then you have to apply security, 22 cybersecurity controls on it.
23 They're intertwined in the development, 24 just like they would be in a digital I&C design.
25 They're intertwined in that.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
52 1 And the cyber plan sets those requirements 2 that people have to design with, not necessarily in 3 isolation of. I guess that's my point.
4 So, while from same thing with the 5 dedication, commercial dedication. The requirements 6 are built in to the dedication process, and then the 7 cyber plans verify inspections, make that verification 8 documented.
9 So, yes, is anything I said off, or is 10 that correct?
11 MR. WARNER: No, that sounds good. Thank 12 you for the assistance, so, yes. Not really handled 13 by us, but we are part of that process.
14 CHAIR HALNON: Well, yes, you're the 15 technology piece that sets, set the rules or sets the 16 parameters of what they have to do to make their 17 systems work.
18 Anybody else as we go forward?
19 Okay, Dan, go ahead.
20 MR. WARNER: All right, thank you.
21 And then the last pathway we're looking at 22 is the portable media and mobile device. Release 23 controls ensure the implementation of adequate 24 protection and procedures, to minimize the cyber risk 25 associated with the use of unapproved PMMD.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
53 1 And some of the controls for that include 2 uses and restrictions, and implementation guidance for 3 controlling the PMMD.
4 Authorizing, monitoring, and controlling 5 PMMD access to CDAs. PMMD security integrity are 6 maintained at a level consistent with the CDAs they 7 support.
8 And then PMMD can only be used on one 9 security level, and not be moved between security 10 levels.
11 MEMBER MARCH-LEUBA: This kind of ties with 12 the wireless, because it's fairly easy with physical 13 access to prevent somebody from plugging in a USB 14 port.
15 But more and more, all the maintenance 16 people in power plants work in there with a tablet to 17 do their job.
18 And those tablets somehow, if you have a 19 possible wireless path, somehow they become PMMDs.
20 So, and that's a nightmare.
21 MR. WARNER: Well --
22 (Simultaneous speaking.)
23 MEMBER MARCH-LEUBA: That's why you have 24 to, you have to attack it from the wireless point of 25 view. The CDA cannot accept an unknown device.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
54 1 MR. WARNER: Right. And that's one of the 2 reasons the baseline configuration controls also 3 ensure that no wireless is active so they can't 4 connect.
5 MEMBER MARCH-LEUBA: Yes, but yes, but you.
6 MR. WARNER: Yes.
7 MEMBER MARCH-LEUBA: Every instrument 8 technicians that walks into a power plant, has a 9 tablet in their hands.
10 MR. WARNER: Or phone in their pocket, I 11 mean, yes.
12 MEMBER MARCH-LEUBA: Yes.
13 MR. WARNER: We understand.
14 CHAIR HALNON: Dan, there's constant 15 software updates on our equipment. And it's usually 16 done wirelessly for us laymen people.
17 But, so how do you control a vender coming 18 in and saying I need to update the software on your 19 system, which is a critical digital asset?
20 Could you just walk us through how that 21 would work to ensure that it's protected?
22 MR. WARNER: Yes. So, in many cases, 23 venders have a laptop. And, the laptop they use is 24 specific to the equipment they have installed.
25 And licensees will typically have that NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
55 1 laptop. It will be part of their PMMD program. It's 2 basically an engineer can like, test equipment 3 essentially.
4 That PMMD, depending on what level it is, 5 is protected in a cabinet. It's secured, it's ensured 6 that nobody's messed with it.
7 They will also do scans on it right before 8 actually using it, to connect to equipment to make 9 sure there's no malware or anything on there.
10 And then usage is logged and tracked from 11 when it's pulled out of the cabinet, it's used. The 12 vender, if they're the one actually doing the work, 13 will have to be escorted by somebody who's in the 14 critical group.
15 Basically, there's a lot of protections in 16 place to make sure that the test equipment, or just 17 being used, is not infected with any sort of malware, 18 so we don't transfer it to the device.
19 And that there are protections in place to 20 ensure the person who is actually doing the work, is 21 also being monitored and show no malicious activity.
22 CHAIR HALNON: Okay, thanks.
23 MEMBER PETTI: So, I'm just a little 24 confused. The computer sits at the plant and the guy 25 comes in. Is that what you basically said?
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
56 1 MR. WARNER: So, I'm, I have not dealt with 2 this as much, so that I have dealt with is that 3 venders will leave equipment there onsite, or it will 4 be a licensee device that has the appropriate software 5 necessary to interface with the system.
6 MEMBER PETTI: But if they have to update 7 something, they're bringing something in. They're 8 bringing some additional software.
9 So, how do you protect, how is that 10 protected?
11 MR. WARNER: The kiosks are basically used 12 as scanning devices for any media transferring from 13 one level to the next.
14 So if you're bringing in something from 15 the outside, it has to get plugged in, scanned, 16 transferred to a level appropriate device, and then 17 that device is what's actually connected to the 18 equipment.
19 So there should never be anything that's 20 bringing, been brought in from the outside and not 21 been scanned, before it actually interfaces with any 22 devices.
23 Then we also have a host of programmatic 24 controls that are in place. These programmatic 25 controls are necessary to maintain security throughout NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
57 1 the life cycle of CDAs.
2 One of the primary purposes of these 3 controls is to ensure that as the threat environment 4 evolves, the licensee systems remain secure from 5 cyberattack.
6 We obviously discussed that, that 7 significant amount this morning.
8 Some of these controls include continuous 9 monitoring and assessment. Licensees must do periodic 10 assessment of security controls.
11 They must perform effectiveness analysis, 12 which basically is a review of their program to ensure 13 it's still meeting the intent.
14 Vulnerability assessments and scans on 15 devices. Configuration management. You want to know 16 what's going in and out of the plant.
17 Change control. Security impact analysis 18 of any changes in the environment, and then obviously, 19 cybersecurity program reviews.
20 And, a lot of this stuff is also being 21 assessed when we come in for our inspections.
22 CHAIR HALNON: Back on the when you say 23 continuous monitoring assessments, it gives you the 24 visual that there's somebody sitting in front of a 25 computer screen watching a bunch of graphs, and NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
58 1 spikes, and whatnot.
2 Is this basically software monitoring the 3 software and flagging it, and giving somebody a text 4 or something to that effect that there's an issue?
5 MR. WARNER: So, that is in place, so, 6 just to get the actual, the definition for the 7 continuous monitoring, so, ensures that period review 8 and testing of security controls, processes, and 9 procedures are conducted to confirm that the 10 established security controls remain in place, and 11 that changes in the system network environment or 12 emerging threats do not diminish the effectiveness of 13 these controls, processes, or procedures.
14 This is more the programmatic controls.
15 It's more talking about actually the overall 16 administrative aspects more than it is the technical 17 monitoring of logs and networks.
18 CHAIR HALNON: In other words, you have 19 dedicated folks running the program essentially.
20 Thanks.
21 MR. WARNER: And then vulnerability 22 management, so to protect against the ever-changing 23 threat environment, nuclear licensees are required by 24 their established security plans to address ongoing 25 threats and vulnerabilities.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
59 1 CDAs are performing vulnerability 2 assessments or scans and evaluations to identify 3 applicable corrective actions required to mitigate or 4 remediate vulnerabilities to maintain an adequate 5 defense-in-depth and prevent CDA compromise or 6 exploitation. Yeah, that was a long one.
7 So, here are some of the controls that are 8 used for vulnerability management. The most basic is 9 obviously installing any operating system, 10 application, and third-party software updates, 11 remediating any flaws that are identified, reviewing 12 security alerts and advisories to determine if there 13 are any new vulnerabilities that impact your systems, 14 contacts with security groups and associations which 15 helps ensure that lessons learned are being 16 distributed, and then evaluating and continuing to 17 manage cyber risk.
18 Then, of course, defense-in-depth, so as 19 stated in 10 CFR 73.54(c)(2), a licensee must design 20 a cybersecurity program to apply and maintain an 21 integrated defense-in-depth protective strategy to 22 ensure the capability to detect, prevent, respond to, 23 mitigate, and recover from a cyberattack.
24 So, an acceptable defense-in-depth 25 protective strategy includes a defense architecture NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
60 1 that describes a physical and logical network design 2 that implements successive security levels separated 3 by boundary control devices with segmentation with any 4 security level. I have a diagram on the next slide 5 that kind of helps show that a little bit better.
6 And then also employs multiple diverse and 7 mutually supporting tools, technologies, and processes 8 to effectively perform timely detective of, protection 9 against, and response to a cyberattack.
10 As you can see here, this is the typical 11 drawing that we like to include in many of our 12 presentations. On the left, you see key components of 13 creating a cybersecurity assessment team, identifying 14 your critical digital assets, implementing the 15 defensive architecture.
16 In this case, level zero is your least 17 secure, and as you're moving down through the levels, 18 you're going through boundary control devices, and 19 then as you can see between level two and three, we 20 have demonstrated here a data diode that prevents 21 communication going from a lower security level into 22 a higher security level, and then applying the 23 security controls to CDAs.
24 And then the bottom part really talks 25 about different aspects of the program that support NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
61 1 all of this. Obviously, we have defense-in-depth, 2 applying security controls, and that's typically done 3 using NEI 13-10, mitigation strategies, training, 4 managing your cyber risk, periodic reviews, 5 evaluations of any modifications to components, 6 incident response, and then having procedures in 7 place, and then, of course, recording. Any records 8 are being retained for the future.
9 MEMBER BROWN: Just to be parochial, level 10 four is something like the reactor protection system, 11 safeguard systems, et cetera, et cetera, and I've 12 never been comfortable with just a firewall sending 13 data from a protection system to the main control room 14 or any place else other than tripping the breakers or 15 starting a pump, you know, but those are isolated 16 controls.
17 But sending that information anywhere else 18 just with a firewall, and depending on then the level 19 three, which I would view as that's communications out 20 of a control room, or technical support center, or 21 something -- yeah, that's just hypothetical, but 22 that's one way to view this.
23 So, I've really never liked this diagram.
24 It used to have a data diode. If you went back when 25 we talked ten years ago, 12 years ago, 2008 or '09, we NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
62 1 were arguing that that ought to be from a system 2 standpoint, not necessarily from a diagrammatic 3 standpoint. There are other things in level four that 4 a firewall would work just fine for, but there are 5 some that you ought to draw a harder line.
6 MR. WARNER: So, are you saying an 7 additional data diode between level four and level 8 three?
9 MEMBER BROWN: For specific systems like 10 all of the RPS stuff, reactor protection system data 11 should be a level four, I mean, should be a data diode 12 type of thing. So, that's what we've actually been 13 able to accomplish in most of the applicants.
14 They've either recognized that it's good 15 advice to get it through the NRC and the committee, so 16 they do it, or whatever, but it's been a struggle in 17 some cases to discuss it because it's a hole and it 18 gets very prescriptive when you do that, mention it.
19 The NRC, I forget, and I'm not trying to 20 pick on particular people, but the NRC is very 21 reluctant now to tell people how to keep their plant 22 safe. They're more reluctant than they used to be.
23 That's my impression. That's not the committee's 24 impression.
25 CHAIR HALNON: Have you found the level NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
63 1 three, level four barrier hasn't been effective?
2 MR. WARNER: I mean, I will say we have 3 not had an incident on a system that's behind the data 4 diode at a nuclear facility.
5 CHAIR HALNON: Okay.
6 MEMBER BROWN: I would have expected that 7 to be. It's going to be an exception rather than a 8 rule, having general problems. There's going to be 9 this specific problem that comes up that you don't 10 anticipate some circumstances.
11 MEMBER MARCH-LEUBA: Meanwhile, on this 12 drawing, you still have a firewall. You should put 13 Gruyere cheese because that firewall has a bunch of 14 holes that are open.
15 MEMBER BROWN: It's like an open cesspool.
16 MEMBER MARCH-LEUBA: So, well, no, it's 17 not that bad --
18 (Laughter.)
19 MEMBER MARCH-LEUBA: -- not that bad, but 20 honestly, you put the firewall because you do need 21 communication flowing that way.
22 MEMBER BROWN: Yes, I agree with that, but 23 a data diode would work also, or --
24 MEMBER MARCH-LEUBA: No, the diode would 25 not allow you to communicate from three to four.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
64 1 MEMBER BROWN: Well, that's -- a wire is 2 a data diode when you trip something, so you can get 3 from three to four fairly easy if you've got a switch 4 and cables.
5 MEMBER MARCH-LEUBA: Simple --
6 (Simultaneous speaking.)
7 MEMBER BROWN: That's a detailed design 8 issue. I'm just saying that that makes it look like 9 that's the only thing you have to have is the 10 software-based fire walls, which are easily, pretty 11 easily compromisable by very, very confident hackers, 12 but now they've got another wall to go through to get 13 there, so that's the good news. So, all right, I just 14 wanted Dan to slow down on this, obviously.
15 MR. WARNER: Understood.
16 MEMBER BROWN: Sorry about that, Greg.
17 CHAIR HALNON: That's okay. Back on the 18 defense-in-depth slide, those items in number five, 19 the bottom portion, we're pretty good at coming up 20 with additional stuff.
21 Is there other things under consideration 22 there from a defense-in-depth perspective given the 23 advancement in technology that we are right now or is 24 that pretty much the bounding list of stuff that we're 25 doing for the lower end of it?
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
65 1 MR. WARNER: I mean, we're always looking 2 at the program and looking to evolve the program to 3 address threats. I mean, as Charlie mentioned, so 4 most licensees use a data diode, but it's not 5 required. That is just an easy way they've found to 6 do this. So, and as Jose said earlier, the regulation 7 is not prescriptive because we want to allow licensees 8 to address the requirements how they feel.
9 So, I would say at this point, especially 10 for all of the operating plants, I mean, they have a 11 program that seems to work, so we're happy with what's 12 there. Advanced reactors, maybe things will be a 13 little different, but that will have to be a 14 discussion for this afternoon.
15 CHAIR HALNON: Yeah, you know, part of me 16 gets this picture of Muhammad Ali sitting in the 17 corner just taking the punches with his fists up and 18 waiting for the time to take the punch back.
19 It feels like we're in the corner, you 20 know, just taking the punches, so maybe down the road, 21 CISA, when we talk about that, Ryan, and the other 22 things we can talk, is there anything proactive going 23 on with defensive stuff?
24 And we don't need to answer that now.
25 It's just a thought that came to my mind and, you NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
66 1 know, we're kind of taking it in the chin looking for 2 different ways of protecting ourselves as opposed to, 3 you know, the other way around, and it may be 4 something we can't talk about in an open meeting.
5 MR. WARNER: I mean, again, the whole 6 point of the program is to ensure that we don't know 7 what's coming, so we're trying to be as prepared as we 8 can. We're trying to get as many layers of defense as 9 possible to ensure that critical systems remain 10 protected.
11 CHAIR HALNON: Yeah, okay, thanks. Go on, 12 please.
13 MR. WARNER: And then for my last couple 14 of slides, I'm just going to kind of give a brief 15 overview of the two types of implementation inspection 16 and the current inspection program.
17 So, the full implementation inspection 18 program ran from 2017 to 2021. It used a preliminary 19 version of the inspection procedure 711030.10, which 20 is what's used currently. Teams consisted of two 21 regional inspectors and then contractor subject matter 22 experts.
23 They were completed in 2021 and they 24 focused on ensuring that licensees were in compliance 25 with the requirements for establishing a cybersecurity NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
67 1 program, and these consisted of a week onsite, 2 followed by an offsite week, and then there was a 3 second week onsite, and then the CSB staff supports 4 remotely will sometimes go out in person just to kind 5 of keep fresh on things, but we're there to answer any 6 questions that the inspection team has.
7 CHAIR HALNON: So, early on in the program 8 development back in the '11, '12, '13 time frame, '14, 9 it was difficult to find SMEs. Is the community much 10 larger now or is it still real exclusive?
11 MR. WARNER: The community is much larger, 12 but the need is even greater. I mean, I was at a 13 conference last week and they were talking about it, 14 and it's -- licensees and just in general, 15 cybersecurity staff is difficult to come by --
16 CHAIR HALNON: It's still very --
17 MR. WARNER: -- and that's something 18 that's a very big challenge to all industries, 19 especially with how cyber-focused things are moving 20 forward.
21 CHAIR HALNON: Okay, Jose?
22 MEMBER MARCH-LEUBA: Yeah, we were making 23 a tour when we were talking about the inspection of 24 pipes, that you find yourself -- in terms of pipes.
25 The problem is the money. These other people are NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
68 1 stealing the little guys.
2 But my question on the audit, on the 3 inspections, is the focus on paperwork or how is it 4 implemented?
5 MR. WARNER: It's how it's implemented and 6 I'm going by personal experience. I mean, when we go 7 out onsite, we'll sit there and we have prep 8 beforehand where we are looking at documentation.
9 Just to make sure I'm just raising this right, we're 10 looking at the current inspection program now.
11 So, what we'll see is we'll look at any 12 changes that are made and we're trying to basically 13 ensure that the changes are being appropriately 14 implemented.
15 We'll go out and we'll look at what's 16 actually installed, make sure the protections are in 17 place that need to be in place. We'll review the 18 modification packages to ensure that any cybersecurity 19 criteria were addressed as part of the modification.
20 We look at storage of CDAs. We look at 21 procurement of CDAs. So, there's a lot of paper we do 22 review, but we're also out there looking at the 23 physical components and ensuring that they actually 24 implemented things appropriately.
25 MEMBER MARCH-LEUBA: Yeah, the concern is NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
69 1 when you are an inspector, you see there are good 2 licensees and there are bad licensees, and so there 3 are guys that are really concerned about it and they 4 may make a mistake, and there are others that say, 5 hey, I want to save money, and those are the ones you 6 have to look at more carefully.
7 MR. WARNER: And typically, then you will 8 see more findings as a result of the inspections 9 because of that.
10 MEMBER MARCH-LEUBA: Typically, the ones 11 that save money, they do their paperwork right.
12 CHAIR HALNON: Vicki, did you have a 13 question or anything? No?
14 MR. WARNER: And I've kind of covered this 15 a little bit, but now we're talking about the current 16 inspection program, similar IP, similar team 17 composition, two inspectors and then two contractor 18 subject matter experts, and again, focusing on 19 reviewing changes to the program and ensuring that the 20 licensees are implementing their programs to ensure 21 cybersecurity throughout the life cycle for any newly-22 installed CDAs, and this inspector program currently 23 consists of a prep week offsite and then one week 24 onsite.
25 CHAIR HALNON: And you said that's a NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
70 1 biennial?
2 MR. WARNER: Correct.
3 CHAIR HALNON: Every two years? So, have 4 you looked back given the, what, couple, three years 5 that we've been doing this? Is that frequent enough 6 for the way that things are changing?
7 MR. WARNER: There are some discussions 8 going on regarding basically we wanted some runtime 9 with the program and then look at it and see if 10 there's anything that needs to be changed.
11 CHAIR HALNON: Or maybe more frequent, too 12 frequent? I mean, it's possible it could be a three-13 year program given the fact that we're not changing 14 out plants all that much, but threats are obviously 15 evolving, so you're talking about internally.
16 MR. WARNER: I believe that's my last 17 slide. I'd say I'd ask for questions, but --
18 CHAIR HALNON: Yeah, well, I was going to 19 ask if, and I don't know if this is the right spot for 20 any recent -- I know that you have a reporting 21 structure and there's a report out back to the plants 22 as well with the CSAT response.
23 Could you talk a little bit or maybe go 24 down the road about the incident response and how that 25 works, and then any interesting stories you might have NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
71 1 relative that you can talk in an open session?
2 MR. WARNER: And I assume you're talking 3 more about like the agency Cyber Assessment Team and 4 how we handle licensee reporting of events?
5 CHAIR HALNON: Yeah, well, just take an 6 incident with someone that has -- I know that even in 7 an RPS, a reactor protection system actuation requires 8 at least a question whether or not it was a potential 9 cyberattack. How does that work that you guys get 10 involved in something like that?
11 MR. WARNER: So, we'll discuss that more 12 in the next presentation.
13 CHAIR HALNON: Okay, yeah, I just wanted 14 to make sure we don't lose that because I think that's 15 important as we get into the advanced reactor world 16 with the smaller staffs and more autonomous, not 17 completely autonomous operation.
18 I know that we're going to talk about that 19 down the road, but that comes up quite often. And, 20 you know, Jose, he's sort of our conscience. He rakes 21 over the news and sends us articles all the time about 22 potential cyber issues out there.
23 MEMBER MARCH-LEUBA: There are 30,000, 24 more than 30,000 vulnerabilities that have been 25 identified this year and we're in May. Most of these NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
72 1 are identified by ethical researchers, but 30,000.
2 Okay, I wanted to make a couple of comments.
3 MR. WARNER: Sure.
4 MEMBER MARCH-LEUBA: Okay, I wanted to 5 make a couple of comments on a high level because the 6 way I see it, I'm not going to make any plant safer.
7 You are. So, I'm trying to put ideas in your mind, 8 but, so I'm going to make two comments. One is 9 positive and one is, let's call it forward thinking.
10 The positive one comes from the news, CNN.
11 I've been following the Ukrainian War and you have the 12 brightest minds in the Russian security forces trying 13 to attack all the Ukrainian power plants and they have 14 not succeeded because they're sending bombs.
15 They cannot go through the cable and make 16 them fail, so something is working right. Maybe 17 they're in such a cocoon that they don't let anything 18 in and that's why they're succeeding, but maybe that's 19 the norm -- we need to operate normally.
20 The second forward thinking comment is I 21 am uneasy about this concentration of critical digital 22 assets. Our guys are always attacked where you are 23 not looking. And I also told when I used to work on 24 safeguards to my DOE boss that we need to have our 25 meeting in Las Vegas.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
73 1 And we should go to see all the magic 2 shows, because if I control the scenario, I can make 3 an elephant disappear, and that's the attitude you 4 guys have to have when you're doing this. If a bad 5 guy controls the scenario, don't let him control it 6 because an elephant can disappear.
7 Thank you. That's very good. I think 8 we're doing a great job, but it is your job to keep 9 the plants safe, not mine. I can only complaint.
10 CHAIR HALNON: Thank you, Jose. Any other 11 comments or questions on this presentation from the 12 members or members online? Okay, Dan, thank you.
13 MEMBER BROWN: Yeah, let me ask one 14 question.
15 CHAIR HALNON: Sure, go ahead, Charlie.
16 MEMBER BROWN: And it may be applicable to 17 the I&C part which is this afternoon.
18 CHAIR HALNON: Yeah, go ahead, please.
19 MEMBER BROWN: In one of the earlier 20 projects that we reviewed, this is eight years ago or 21 so, there was a network where a lot of data went into 22 and they talked about how some of that data was 23 critical data, but yet it went into the overall 24 network in a partitioned or segmented manner.
25 In other words, it didn't get run NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
74 1 routinely as the network operated. It was only 2 queued. If something came up from behind, you know, 3 the other, up through into that system that asked it 4 to be run.
5 I was never comfortable with that. I'm 6 not a programmer, so partitioning and how you do that 7 and prevent access during the routine operation of the 8 network for doing everything else that you're doing 9 within the plant, even the non-critical operations.
10 Do you all get involved in that or do you 11 try to work with -- or do you see that as the I&C guys 12 ensuring that the software development that's done for 13 that network has adequate protections within it?
14 It's like a giant server farm in a way, 15 but having little compartments that you can't get into 16 unless you're, you know, queued to get into it from 17 the more safe systems within the plant. Am I clear on 18 that question or --
19 MR. WARNER: Yeah, I think I understand 20 what you're saying. So, actually, just let me ask one 21 question.
22 MEMBER BROWN: Commingling software 23 fundamentally, but saying hey --
24 MR. WARNER: Right.
25 MEMBER BROWN: -- you can't get to this NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
75 1 little packet over here because we never ask for it 2 unless.
3 MR. WARNER: We don't really get too in-4 depth in that. If that was something that was being 5 done at a licensee, what I imagine would be we want to 6 ensure that, I mean, if it's data just speeding out 7 for monitoring purposes, then obviously, we want it 8 filtered through like a data diode to ensure there's 9 no communication back to your critical systems.
10 Beyond that, I don't want to speculate too 11 much more because just pulling something out of thin 12 air.
13 MEMBER BROWN: Okay, well, obviously, this 14 was overall a much larger range of thought processes 15 without all of the details of how it was going to be 16 utilized. This was a long time ago and we never --
17 I'm not sure we even finished the application on that.
18 It's been a while. It's just a software thought 19 process that I wanted to ask.
20 CHAIR HALNON: Thanks, Charlie. Any other 21 questions? Okay, we're a little bit ahead of 22 schedule. I'm going to go ahead and call the break 23 now and we'll be back at 10:15.
24 When we come back, we're going to expand 25 out a little bit and get into the inter-NRC NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
76 1 coordination between the offices and also the 2 intergovernmental agency coordination as we expand out 3 from the reactor going towards the grid. So, we'll 4 recess until 10:15.
5 (Whereupon, the above-entitled matter went 6 off the record at 9:52 a.m. and resumed at 10:15 a.m.)
7 CHAIR HALNON: Okay, this is the 8 cybersecurity presentations we're having for our 9 subcommittee. We're back in session and Dan, you're 10 up.
11 MR. WARNER: Good morning. I am back.
12 This is Dan Warner from the Cybersecurity Branch in 13 the Division of Physical and Cybersecurity Policy in 14 the Office of Nuclear Security and Incident Response, 15 and for this presentation, we're going to talk about 16 government interaction and coordination between the 17 NRC, NERC, and FERC, and then the role of DOE and DHS 18 CISA.
19 So, the key messages for this 20 presentation, the NRC has a long history of engagement 21 and cooperation with FERC, DHS CISA, and other federal 22 partners on cybersecurity and other issues.
23 The NRC's engagement with FERC on 24 cybersecurity ensured appropriate protection for 25 bounds of plant CDAs, and the Cyber Assessment Team NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
77 1 processes design both to coordinate internal response 2 to issues, as well as support early engagement with 3 interagency partners.
4 MEMBER BROWN: What is CISA?
5 MR. WARNER: It's the Cybersecurity and 6 Infrastructure Security Agency.
7 MEMBER BROWN: Oh, okay.
8 MR. WARNER: Ryan is our representative 9 and he'll be talking a little bit later.
10 MEMBER BROWN: Okay, sorry about that. I 11 actually read that, but thought I'd ask.
12 MR. WARNER: So, just a brief background 13 on bounds of plant. In January 2008, FERC issued 14 Order 706 which specified critical infrastructure 15 protection and reliability standards to safeguard 16 critical cyber assets, and it specifically exempted 17 facilities that are regulated by the NRC.
18 In March 2009, the NRC issued 10 CFR 19 73.54, protection of digital computer communications 20 and networks to NRC power reactor licensees, and that 21 also did not cover all bounds of plant equipment at 22 NRC power reactor facilities, which created a 23 potential gap between NRC and FERC regulation.
24 Then in March 2009, FERC issued Order 25 706(b) which clarified that BOP systems and equipment NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
78 1 not within the scope of 73.54 is subject to NERC 2 standards, and then nuclear facilities were allowed to 3 seek an exemption from those standards on a case by 4 case basis for digital assets they believed were 5 subject to the NRC's cybersecurity requirements.
6 Then in December of 2009, the NRC and NERC 7 signed a memorandum of understanding basically 8 addressing how they would handle their respective 9 authorities over the nuclear power plant 10 cybersecurity.
11 In 2010, NERC sent a survey called the 12 Bright Line Survey to power plants requesting them to 13 determine which of their components were potentially 14 subject to NERC standards and which ones were subject 15 to cybersecurity regulation under the NRC.
16 Then in August, NERC confirmed to the NRC 17 that based on the response to the survey, that NERC 18 had concluded the assignment of regulatory authority 19 for the BOP components was subject to the NRC 20 cybersecurity authority.
21 And then a memorandum between the NRC and 22 NERC and FERC will be discussed in more detail, will 23 be discussed actually in Jorge's slides which will be 24 after this presentation.
25 MEMBER BROWN: Is NERC a government agency NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
79 1 or is that a commercial industrial thing for the 2 electrical world?
3 MR. WARNER: So, NERC is the North 4 American Electric Reliability Corporation.
5 MEMBER BROWN: Right.
6 MR. WARNER: They are a non-government 7 entity that has been ceded authority for developing 8 standards and regulatory authority for power plants by 9 FERC.
10 MEMBER BROWN: When you say ceded?
11 MR. WARNER: So, basically FERC has 12 authorized them to act on their behalf with the 13 development of reliability standards and enforcement.
14 MEMBER BROWN: Can they do that 15 independent of keeping back -- I've looked at this 16 grouping of three different organizations and how does 17 anything ever get done?
18 MR. CINTRON-RIVERA: So, this is Jorge 19 Cintron. So, FERC provides oversight over NERC.
20 Pretty much NERC develops the reliability standards 21 that are able to ensure they are able to meet the 22 regulations for FERC. So, they do provide inspections 23 of the reliability of the grid.
24 MEMBER BROWN: Do they have to get FERC 25 approval for what they're doing or can they, do they NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
80 1 have the ability to take action with the industry in 2 terms of utilities, grip support, all that type of 3 stuff, or are they -- is there a leash? They always 4 have to come back, well, we want, we're going to be 5 doing this? We need -- that's a firefight. I mean, 6 people that run electrical stuff ought to be able to 7 fix things.
8 MR. CINTRON-RIVERA: My understanding is 9 that they have to go through FERC. Singh Matharu is 10 on the line, I don't know if he has more information 11 on that, but FERC has the oversight over NERC in these 12 aspects.
13 MEMBER BROWN: So, NERC only has a 14 limited, when you say ceded, they only have a limited 15 amount of things they can do independently based on 16 what is in whatever this memorandum of agreement is or 17 whatever document that's been signed. Is that 18 correct? Is there a document that cedes that?
19 MR. CINTRON-RIVERA: I can double-check 20 that. I don't know. Singh Matharu, are you on the 21 line?
22 MR. MATHARU: Yes, good morning. My name 23 is Singh Matharu. I'm in the electrical branch and 24 I've been coordinating our efforts with NERC and FERC 25 for a long time.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
81 1 So, to answer your question in a simple 2 manner, I think it would be easy to compare how the 3 standards' committees for nuclear power plants like 4 IEEE write standards and then the NRC issues a reg 5 guide that either takes exceptions or approves the 6 standards and says this meets our requirements and 7 regulations.
8 There's a similar relationship between 9 FERC and NERC where the FERC has the authority to 10 issue what we would call regulations and NERC would 11 write the corresponding standard to meet the 12 regulation. Does that help?
13 MEMBER BROWN: Okay, yeah, somewhat, but 14 IEEE, they change their standards without getting 15 approval from the NRC, but they then, the NRC then 16 makes a decision as to whether they're going to adopt 17 those standards. Is that --
18 MR. MATHARU: Correct.
19 MEMBER BROWN: -- the same?
20 MR. MATHARU: Correct.
21 MEMBER BROWN: So, NERC can develop 22 standards on their own for doing things which can be 23 followed by the utilities if they want to, but NERC 24 can then incorporate them into their regulations. Is 25 that -- that's kind of the way IEEE standards and --
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
82 1 MR. MATHARU: Correct, correct.
2 (Simultaneous speaking.)
3 MR. MATHARU: Very similar relationship, 4 yes.
5 MEMBER BROWN: Okay, similar relationship, 6 okay, so they are independent, but their standards are 7 adopted or not adopted by NERC?
8 MR. MATHARU: Correct.
9 MEMBER BROWN: But industry can still use 10 some of those standards if they want to?
12 MEMBER BROWN: In areas where they have 13 the authority to do it?
14 MR. MATHARU: Yes.
15 MEMBER BROWN: Okay, thank you. I'm 16 sorry. I just had to get a handle on this.
17 MR. MATHARU: To give you an example, 18 after the breakup of the electrical utilities, the 19 nuclear power plants needed some assurance that the 20 grid would be maintained in a certain manner as far as 21 offsite power requirements would go.
22 So, FERC made the regulation and then NERC 23 told the utilities and the independent power producers 24 and the transmission systems how to maintain adequate 25 wattage, frequency, whatever our requirements are to NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
83 1 the levels that would satisfy the nuclear power plant.
2 MEMBER BROWN: Okay, thank you.
3 MR. WARNER: In November of 2012, NERC 4 adopted CIP-002-5, which basically indicated how to 5 identify and categorize bulk electric systems, cyber 6 systems, and associated cyber assets based on the 7 adverse impact that loss, compromise or misuse could 8 have on the reliable operation of the bulk electric 9 system.
10 Essentially, what that did is it kind of 11 allotted a graded approach depending on some factors 12 which we'll go into a little bit further down the 13 line.
14 In 2022, the NRC approved for use 15 revisions to NEI 10-04 and 13-10, which incorporated 16 this graded approach in the latest versions of the 17 NERC standards.
18 This approach uses a number of criteria, 19 primarily the electrical output of a facility, to 20 determine if they were low impact, which is an impact 21 to the grade of 1,500 megawatts electric or less, or 22 medium impact, which is greater than 1,500 megawatts 23 electric, to the bulk electric system and the required 24 cybersecurity controls that need to be applied.
25 MEMBER BROWN: So, excuse me again. Now, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
84 1 to me, what that means is the grid is controlled 2 external to the plants, okay. They put it out there.
3 They either open or close the breakers. They adjust, 4 you know, and then our plants respond as a normal 5 generator would on a grid, okay, with all its 6 reactive, real power, et cetera, et cetera, et cetera.
7 So, the operation then, the paralleling of 8 our plants with the grid is controlled external to the 9 plant? Is that -- am I saying that correctly, or is 10 there an operator on the plant that then connects to 11 the grid under the influence of the controls --
12 (Simultaneous speaking.)
13 MEMBER BROWN: I'm just trying to get 14 that.
15 MR. CINTRON-RIVERA: Each nuclear power 16 plant has their internal memorandums of understanding 17 between the utility and the plant, so every activity, 18 if there is a severe weather event, if there is 19 maintenance of the lines, everything has to be 20 coordinated between the utility and the plant.
21 So, each plant has their own agreement 22 with the utility, the grid operator, to ensure that 23 all of those activities don't affect either the grid 24 or the operations of the power plant.
25 CHAIR HALNON: Charlie, you'll hear the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
85 1 term TSO, transmission system operator.
2 MEMBER BROWN: Yeah.
3 CHAIR HALNON: And those agreements were 4 forced, I don't want to say forced, they were --
5 during this period of time, they were put in place, 6 and INPO got involved with it as well, to make sure 7 that the TSO, utility, memorandums of understanding 8 and agreements were memorialized in some document.
9 So, that's pretty established that the 10 control room and TSO are in pretty frequent 11 conversations about --
12 MEMBER BROWN: Okay.
13 CHAIR HALNON: -- power changes and stuff.
14 I'm sorry, go ahead, Vicki.
15 MEMBER BIER: I have quick question. My 16 understanding, which may be incorrect, is that the 17 impact that a plant has on grid stability may not be 18 entirely based on megawatts, but also kind of where 19 it's located in the grid, and that, you know, certain 20 locations may be vulnerable even if there's only a 21 small amount of power generated at that location. Can 22 you talk about whether or how that's taken into 23 account?
24 MR. WARNER: So, I will say that some of 25 the other considerations, I didn't list everything, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
86 1 one of them is basically the grid operator can come to 2 a facility and say hey, because of condition X, Y, Z, 3 we need you to run, and then in the case of nuclear 4 plants, we're base load, so the anticipation is we're 5 always running.
6 MEMBER BIER: Sure.
7 MR. WARNER: So, this may apply more to 8 facilities that, for example, like in Texas, when they 9 had issues with the freezing a couple of years ago, so 10 that is one of the considerations that is taken into 11 account when looking at the impact to the grid and how 12 that impact what controls need to be applied to your 13 components.
14 MEMBER BIER: But this categorization of 15 low impact or high impact --
16 CHAIR HALNON: Vicki, your mic isn't on.
17 MEMBER BIER: Sorry, I thought I turned it 18 on. The categorization of low impact or high impact 19 is done ahead of time, correct, before there's an 20 event, so some things that are identified as low 21 impact early on because of megawatt rating may 22 actually turn out to be high impact in the situations?
23 MR. WARNER: Yeah, when we were doing the 24 reviews of the documentation, we had extensive 25 interactions with FERC's Office of Electric NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
87 1 Reliability and that was a question that did come up.
2 Is a licensee expected basically to increase their 3 protections if suddenly they are bumped from low 4 impact to medium impact due to some sort of exigent 5 circumstances?
6 And in that case, basically, no, they 7 don't have to apply the extra controls. For example, 8 the letter I was kind of talking about, I believe, is 9 a one-year time frame is as long as that can be in 10 effect, and then theoretically, conditions have 11 cleared up so that you can go back down.
12 And those circumstances are not typically 13 used for, like, weather events because of just the 14 immediacy of those, but are more established ahead of 15 time on a longer time scale to address, like you said, 16 maybe there's a power plant that's going through 17 significant work and it's going to be out, so they 18 need extra support on the grid.
19 MEMBER BROWN: Where are the grid 20 operators located?
21 CHAIR HALNON: So, there's multiple --
22 MEMBER BROWN: I know there's got to be 23 multiple --
24 CHAIR HALNON: Yes.
25 MEMBER BROWN: -- because we've got a NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
88 1 number of grid --
2 CHAIR HALNON: Right.
3 MEMBER BROWN: -- agencies, not only the 4 connect, or disconnect, or what have you. I 5 understand there's not a cohesive, totally cohesive 6 setup. So, they're in different -- they're not in the 7 plants is all I'm saying.
8 CHAIR HALNON: No.
9 MEMBER BROWN: They're in separate 10 locations and they control the general interactions, 11 the interface with other grids --
12 CHAIR HALNON: Right.
13 MEMBER BROWN: -- they interact with, et 14 cetera. My next question is because I'm ignorant on 15 this, all right? I come from the Naval side of the 16 thing and we tended to operate our electric plants 17 independently, so that the generators were not 18 parallel just because we don't want them both to go 19 away due to sudden power shifts.
20 And it's not the load. It can be reactive 21 current where all of a sudden, you overload something, 22 you overheat stuff, and you trip everything. That's 23 not a good idea for a submarine when they're in the 24 water somewhere.
25 So, aircraft carriers are a little bit NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
89 1 different. They do stuff differently. So, how does 2 that control of the general excitation systems in the 3 plant and its interface with the grid get controlled?
4 Is that done by the, what do you call it, the 5 transmission, the local operator in the plant? Do 6 they get told what to do?
7 CHAIR HALNON: Yes, the TSO will call the 8 plant and say I need more bars, less bars, I need --
9 MEMBER BROWN: Okay, so there is a direct 10 control back with the excitation control for --
11 CHAIR HALNON: Correct.
12 MEMBER BROWN: -- the connection to the 13 grid.
14 CHAIR HALNON: Yeah, and the nuclear 15 plants are pretty autonomous because of the potential 16 impact on the reactor core and reactivity. They won't 17 let anyone offsite control reactivity, so that's why 18 they have the telephone.
19 MEMBER BROWN: Yeah, I love that.
20 CHAIR HALNON: A telephone call is 21 necessary. That may not be the same for a gas plant 22 that's on the TSO control.
23 MEMBER BROWN: So, if you have a giant 24 outage where you lose a whole -- I mean, you hear 25 about blackouts. Many of those are driven by NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
90 1 overloading not necessarily the power side, but it 2 could be reactive current drains and what it's doing 3 to the systems and the trip systems.
4 So, is that still when those suddenly 5 happen? I take it there's a lot of communication with 6 those that in bulk power. Is that correct?
7 CHAIR HALNON: Yeah.
8 MR. MATHARU: This is Singh if I may help 9 with that answer.
10 MEMBER BROWN: Okay.
11 MR. MATHARU: So, what you're essentially 12 asking is a twofold question. The external entity, 13 which is the TSO, does not have any control over the 14 real or the reactive power that's generated by a 15 nuclear power plant.
16 MEMBER BROWN: Okay, that's what I 17 thought, so they've got to communicate.
18 MR. MATHARU: So, they've got to 19 communicate, number one. Number two, part of our 20 regulation, NRC regulation requires the offsite source 21 to be capable of supporting safe shutdown of the 22 plant.
23 So, the operability of the offsite source 24 is dependent on the strength of the grid and the 25 voltage that's maintained at the switchyard, and as NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
91 1 you know, voltage is a function of the reactive power.
2 MEMBER BROWN: Yes.
3 MR. MATHARU: So, one of the requirements 4 that we at the NRC impose on plant operators and they 5 in turn impose it on what we call the TSO would be 6 that the nuclear power plant does not support the grid 7 because if the nuclear power plant were to trip, then 8 the offsite source would not be adequate to support 9 safe shutdown.
10 MEMBER BROWN: Got it.
11 MR. MATHARU: So, using that logic, we, at 12 least the plant operators maintain minimum reactive 13 power output or the minimum supports that are required 14 for the grid.
15 So, we rely on the TSO to ensure that upon 16 loss of a nuclear power plant, the reactive power and 17 the real power demand will not adversely or I should 18 say impact the grid such that it will not be able to 19 support safe shutdown.
20 MEMBER BROWN: Okay, so then the plant then 21 becomes dependent upon its onsite emergency power 22 sources?
23 MR. MATHARU: Correct, we want to get them 24 on the backup plan, yes.
25 CHAIR HALNON: Yeah, in those agreements, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
92 1 there's pretty strict voltage requirements, frequency 2 requirements.
3 MR. MATHARU: Correct.
4 MEMBER BROWN: That was a good answer.
5 That was a good clarification. I was wondering who 6 controlled the reactive component to this stuff, and 7 so we do it internally on our plants --
8 MR. MATHARU: If we do it internally --
9 MEMBER BROWN: -- so we're not a grid --
10 recognizing we need the grid to shut down the plant 11 properly and in a stable manner.
12 MR. MATHARU: Correct.
13 MEMBER BROWN: Okay.
14 (Simultaneous speaking.)
15 MR. MATHARU: Just to elaborate a little 16 bit more, we had an event back in, I think it was 17 circa 1995, where there was, in the summertime, there 18 was an excessive transfer of power from one -- to the 19 other, and in the middle of that was our Callaway 20 Nuclear Power Plant and Callaway was supporting the 21 midpoint of that transmission system.
22 And we realized once the TSO did some 23 studies and they figured that if Callaway were to 24 trip, then the offsite source would not be operable as 25 such, so we wrote information orders that clarified NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
93 1 our position on that.
2 MEMBER BROWN: Really complex. Okay, 3 thank you very much.
4 MR. MATHARU: Sure.
5 CHAIR HALNON: My question was in the 6 first two bullets, there's a decade between the 7 adoption of CIP-002 and NRC's endorsement of 10.04.
8 During that time period, were we in an approving time 9 frame using basically the concepts and making sure 10 that that's what you wanted or was it --
11 MR. WARNER: So, everything that was in 12 place at the time was really the basic versions of the 13 documents that were issued when we first were 14 addressing these concerns.
15 The reason I brought this up is basically 16 saying that things kind of changed in how they're 17 assessing what controls need to be applied in the 18 interim between then and when we made revisions to 19 guidance, and in that time frame, we wanted to ensure 20 that we adopted the same approach so that we're 21 protecting the bounds at play.
22 Because while we are taking regulatory 23 authority for those bounds at play and assets, we're 24 still trying to maintain at least the protections that 25 FERC requires for similar facilities are non-nuclear.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
94 1 So, that was kind of the point of that, is 2 that we're adopting this new approach to be in line 3 with the current revisions of the NERC CIP standards.
4 CHAIR HALNON: Okay, thanks. Any other 5 questions? All right, let's roll on.
6 MR. WARNER: And then just, I've kind of 7 already covered it a little bit, but I'm just saying 8 that when we were doing the review of these 9 documentation changes, we coordinated with FERC's 10 Office of Electrical Reliability to ensure that the 11 changes we made were consistent with the latest NERC 12 CIP documents.
13 And then kind of giving a brief overview 14 of the controls, and again, these are the ones that 15 were in place when we first started doing the review, 16 there has been a little bit of an addition and I'll 17 cover that in a later side.
18 So, CIP reliability standard 003-7 defines 19 the cybersecurity controls to be applied to bulk 20 electric system cyber systems for lower impact CDAs, 21 and here at the nuclear plants, they're being referred 22 to as BOP CDAs.
23 They would need cybersecurity awareness, 24 which is essentially training, physical security 25 controls, electronic access controls, cybersecurity NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
95 1 incident response, transient cyber asset, removable 2 media, and malicious code risk mitigation, which is 3 PMMD in the nuclear space, and then declaring and 4 responding to CIP exceptional circumstances.
5 And then for medium impact controls, and 6 I will say for medium impact CDAs, these will be 7 called BOP-SCRAM/TRIP CDAs, there are not any CDAs 8 currently identified as medium impact at nuclear power 9 plants.
10 These would have the baseline 11 cybersecurity controls that we discussed in the 12 previous presentation that would basically apply to 13 BOP and indirects.
14 Similar to the beginning, it has the 15 personnel training, electronic security perimeters, 16 physical security controls, system security 17 management, incident response and response training, 18 recovery plans, configuration management, information 19 protection, and again, that declaring responding to 20 CIP exceptional circumstances.
21 CHAIR HALNON: I was curious that you said 22 there's nothing, no medium impact at NPPs, but our 23 previous discussion just talked about voltage and 24 frequency controls on the grid, which indirectly, if 25 not directly, can trip.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
96 1 MR. WARNER: So, all of the additional 2 potential categories that would apply to NPPs don't 3 apply as far as the letters saying they have to run 4 and all of that stuff. So, really the criteria we're 5 looking at for nuclear power plants is whether they 6 meet that 1,500 megawatt electric threshold.
7 There is no single unit at a U.S. nuclear 8 site currently that operates at greater than 1,500 9 megawatts electric, so the only potential medium 10 impact CDAs we are thinking that we will see -- this 11 is still fairly new, so a lot of plants haven't even 12 started trying to implement this guidance.
13 We would basically think that maybe if 14 there's a common system between two units, that could 15 potentially trip both units offline, but the odds of 16 finding that are pretty slim because that's not 17 something you'd want to have happen at your plant.
18 CHAIR HALNON: Yeah, so the 1,500 19 megawatts is more geared towards maintaining grid 20 integrity than it is a plant staying online --
21 (Simultaneous speaking.)
22 MR. WARNER: Correct, my understanding is 23 --
24 CHAIR HALNON: The nuclear power plant, 25 we're worried about staying online or at least a NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
97 1 controlled shutdown.
2 MR. WARNER: Yeah, and my understanding is 3 that requirement really is based on how much swing 4 capacity they have on the grid to be able to bring 5 online, because there's a stipulation that the actual 6 reading is a loss of 1,500 megawatts electric within 7 15 minutes.
8 So, if it's somehow over a longer time 9 frame, they can easily bring enough swing capacity to 10 cover that loss, so.
11 CHAIR HALNON: Okay, so that spending 12 reserve is what --
13 MR. WARNER: Right.
14 CHAIR HALNON: -- depending on -- when we 15 had the polar freeze way back when, the spending 16 reserve was basically not there, much less than the 17 ten percent they like to have on there. They have to 18 have at least ten percent spending reserve. Okay, so 19 it comes down very specific to the plant versus the 20 operators' --
21 MR. WARNER: Yeah.
22 CHAIR HALNON: -- ability to keep the grid 23 up and at frequency and voltage.
24 MR. WARNER: Correct.
25 CHAIR HALNON: Okay.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
98 1 MEMBER BROWN: That's the grid operators.
2 CHAIR HALNON: Grid operators, sorry.
3 MEMBER BROWN: I want to fix my 4 understanding of something you said a minute ago. Our 5 plants, the nuclear plants fundamentally supply our, 6 but not reactive current control. Somebody said 7 something like that, but yet the generator operates at 8 some power factor like 0.8 or what have you so you 9 can't overload it, so who controls --
10 I mean, the loads are the loads. The grid 11 wants power, but it also has to deal with reactive 12 currents which are controlled by the excitation from 13 our generator based on the regulators, voltage 14 regulators.
15 MR. WARNER: So, I'll take a crack at 16 this. Please feel free to chime in.
17 MEMBER BROWN: Well, let me --
18 MR. WARNER: Sorry.
19 MEMBER BROWN: Let me finish my thought.
20 MR. WARNER: Sorry.
21 MEMBER BROWN: No, I think I -- this is 22 another, since we don't really control grid reactive 23 current control. We've got about 20 percent of the 24 normal power that's required in the country, volt 25 power that's required. There's another 80 percent NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
99 1 that's controlled by gas, coal, oil, whatever we've 2 got. So, somebody else is taking care of the reactive 3 current on the overall grid.
4 If you had 500 plants, then we would have 5 to be part of the reactive control. Is that a correct 6 assumption? But if we were nuclear islands where we 7 could do that, it would be okay, but we're not nuclear 8 islands in most circumstances. We depend on the grid 9 to shut the plant down if we lose the generator.
10 MR. WARNER: And that is my understanding.
11 Basically, because we're base load --
12 MEMBER BROWN: Yeah, but the power base 13 load, but you --
14 MR. WARNER: Right.
15 MEMBER BROWN: The generator has some 16 reactive -- it's supplying reactive current --
17 MR. WARNER: Right.
18 MEMBER BROWN: -- to meet its generative 19 requirements. You just can't be all of one and 20 nothing of the other. That's not good for the 21 generator.
22 MR. WARNER: Right, and my understanding 23 is basically, and when I say basically, like your --
24 power plants, nuclear power plants are always just 25 producing the same amount, both regular power and NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
100 1 reactive power.
2 MEMBER BROWN: Right.
3 MR. WARNER: And then everything else on 4 the grid, which can be spun up much quicker and it 5 doesn't have an impact on the reactivity of the core, 6 is used to kind of balance everything else out.
7 CHAIR HALNON: Charlie, it's not unusual 8 for a system operator to ask a nuclear plant to change 9 reactive power.
10 MEMBER BROWN: No, I understand that.
11 CHAIR HALNON: But they have the strict 12 curves they stay within, the generator curves.
13 MEMBER BROWN: I got that. I was just 14 trying to get a better understanding of the 15 connectivity of the overall control relative to the 16 offsite.
17 They're the ones that are controlling 18 other assets that are providing that basic reactive 19 current control, but they are also controlling the 20 switchyard circuits and stuff, and that's where the 21 cyber issue comes in relative to the controls also.
22 I assume that's part of this whole thing 23 we're looking at and you certainly don't want -- I 24 mean, there are other folks other than our guys are 25 controlling the switchyard, is that correct?
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
101 1 MR. WARNER: Yeah, I mean, we have 2 everything within the first inner tie of the grid is 3 our responsibility and everything outside then falls 4 under --
5 (Simultaneous speaking.)
6 MEMBER BROWN: Once our breaker is closed, 7 that's our connection.
8 MR. WARNER: Yes.
9 MEMBER BROWN: There's a lot of other 10 breakers out there that can get operated and my 11 concern is their impact on our plants if they get 12 tripped off in the wrong way and screw up the ability 13 to take care of our plants. That's what I was --
14 that's my cyber issue that I haven't really --
15 (Simultaneous speaking.)
16 CHAIR HALNON: That's exactly the 17 interface that we're trying to explore.
18 MEMBER BROWN: Yeah, okay, and that's --
19 okay, now that's what I'm looking for and that's the 20 kind of --
21 CHAIR HALNON: Okay, Charlie's caught up.
22 MEMBER BROWN: Pardon?
23 CHAIR HALNON: Charlie's caught up.
24 MEMBER BROWN: I'm finally caught up.
25 Thank you.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
102 1 MR. WARNER: So, I just want to emphasize, 2 so when the rule first came out, the bounds of play in 3 assets were not determined to be within scope of NRC 4 regulatory authority because they were not part of 5 safety, security, emergency preparedness, important to 6 safety.
7 So, that is -- obviously, we do know that 8 those bounds of play in assets can impact reactivity, 9 but when it comes down to it, you don't need them to 10 safely shut down the facility and keep it safety shut 11 down.
12 So, when we're looking at what we're doing 13 as far as bounds of play in digital assets is we're 14 basically trying to maintain what FERC is doing to 15 protect those assets and ensure grid stability is 16 maintained.
17 So, and you'll see that even though, if we 18 look at the low impact we looked at, like nuclear 19 power plants exceed what is currently required, and in 20 fact, in the next slide, I'm going to discuss how a 21 new requirement came out that we actually already have 22 determined that we addressed, so we can go to the next 23 slide. Thank you.
24 So, NERC CIP-003-9 came out recently. It 25 was recently released and it includes an additional NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
103 1 control for low-impact facilities. So, we were aware 2 when we were doing the review that there was new 3 guidance that was going to be coming down the pike 4 from our interactions with FERC.
5 So, we reviewed the document changes and 6 determined what changed from the previous version 7 that's currently incorporated in our guidance and if 8 it impacts bounds of play at CDAs.
9 So, there's an additional control specific 10 to low-impact power generation facilities which 11 requires facilities to implement vendor electronic 12 mode access security controls.
13 When we were interacting with FERC during 14 the review process, they also mentioned the only 15 incidents they were seeing were on low-impact 16 facilities.
17 And as we've seen from a lot of the 18 different attacks that have been publicized lately, 19 especially on like water infrastructure and those kind 20 of things, a lot of it people just using that vendor 21 remote access and being able to get in, whether they 22 got credentials from somebody or were able to find a 23 vulnerability they were able to use to access it.
24 So, we reviewed the controls that are 25 current in the latest version of NEI 13-10, Rev. 7, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
104 1 and there's already a requirement in there for these 2 low-impact CDAs that they have electronic access 3 controls either air-gapped or isolated by a 4 deterministic device.
5 So, in that case, even if there is a 6 vendor remote access that should be disabled, there is 7 no pathway to get there, so we've already determined 8 that that control has been addressed and no guidance 9 changes need to be implemented to incorporate the 10 latest version of CIP-003.
11 MEMBER BROWN: So, the electronic devices 12 that are actuating switchyard devices for whatever 13 purposes are air-gapped or isolated so they can't get 14 into our electric system and then somehow get back 15 into our safety systems or safety-related systems?
16 MR. WARNER: That is correct. And based 17 on what's required in the document, they need to have 18 physical security controls. If they're out in the 19 switchyard, they need to be protected by physical 20 controls. They need to have --
21 MEMBER BROWN: Electronic.
22 MR. WARNER: -- electronic controls. They 23 need to have this isolation behind some sort of 24 device. So, they may be connected to other devices 25 within the plant itself, but then they're subject to NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
105 1 all of the same security requirements needed for those 2 types of CDAs.
3 All right, so this is a busy slide, but 4 this is the one we use and I kind of like it. So, 5 basically, what I wanted to go over here is the 6 various federal agencies that kind of have a touch 7 point to the different aspects of cybersecurity at a 8 nuclear plant and kind of where those roles reside.
9 Brian will give more detail later, but 10 we'll start with the Department of Homeland Security's 11 Cybersecurity and Infrastructure Security Agency.
12 They are the sector risk management agency for nuclear 13 plants.
14 They lead the national effort to 15 understand and manage cyber and physical risks to the 16 U.S. critical infrastructure, and that responsibility 17 includes communicating threats, vulnerabilities, and 18 to provide instant response services for that U.S.
19 critical infrastructure.
20 And we would interface with CISA during a 21 significant cyber event at an NPP licensee. I have an 22 example later on where we talk about the Cyber 23 Assessment Team that will kind of go over that a 24 little bit.
25 The Department of Energy are responsible NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
106 1 for advancing the energy, environmental, and nuclear 2 security of the U.S. The Office of Cybersecurity, 3 Energy Security, and Emergency Response, you'll 4 typically hear that as DOE CESER, is the lead for the 5 DOE's emergency preparedness and coordinating 6 responses to disruptions to the energy sector, 7 including cyberattacks, and the NRC would interface 8 with DOE during a significant cyber incident at a 9 nuclear power plant.
10 Then, of course, we have FERC, the Federal 11 Energy Regulatory Commission. They regulate the 12 interstate transmission of electricity, natural gas, 13 and oil. They have an MOA between us and FERC that 14 facilitates interaction on matters pertaining to 15 nuclear power plant cybersecurity, and we coordinate 16 activities regarding nuclear power plant cybersecurity 17 such as what we did with reviewing the new guidance 18 changes that are being implemented.
19 And then we have the Nuclear Regulatory 20 Commission. We have oversight in nuclear reactors.
21 We perform cybersecurity inspections at power plants 22 and then we coordinate with other federal agencies as 23 needed on matters pertaining to nuclear power plant 24 cybersecurity.
25 So, I'm going on a little bit about the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
107 1 agency's Cyber Assessment Team. I am the Cyber 2 Assessment Team lead for the agency. So, the CAT is 3 a team of headquarters and regional cyber experts that 4 activates in response to cyber events at NRC 5 licensees.
6 So, we have NSIR cybersecurity staff, 7 headquarters subject matter experts, and we have 8 regional cybersecurity inspectors that are part of the 9 team.
10 We evaluate cyber events at licensees, 11 primarily power reactors, and we assess the severity 12 of the event and provide recommendations to agency 13 leadership, and we also assist in internal 14 coordination between headquarters and the regions.
15 CHAIR HALNON: Dan, how many events do you 16 guys screen on a regular basis? I mean, pick a time 17 period.
18 MR. WARNER: So, the -- and actually, 19 we'll go into this in a couple of slides, but, so the 20 CAT typically activates in response to any reports 21 that are made under 10 CFR 73.77. Those reports would 22 go to the WHO, and then when they feed to us, to me, 23 then I determine what we need to do as far as 24 activation.
25 There has never been an incident report NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
108 1 under 73.77 since it was issued in 2015, so the CAT 2 has never officially activated other than to primarily 3 address non-licensee regulated systems, typically 4 licensee business systems. In that case, it's mostly 5 just ensuring that management is aware of what's going 6 on.
7 CHAIR HALNON: How often do you drill?
8 MR. WARNER: I've been the CAT lead for 9 over a year and I haven't because the nature of a 10 cyberattack is such that any incident response that 11 would start and activate the ops center won't be 12 identified as a cyberattack until weeks after the 13 incident is addressed.
14 So, in the actual CAT, like the SME 15 cybersecurity portion of the response has been 16 removed, so ops center and the team there would deal 17 with the issue and make sure the physical consequences 18 of something are dealt with, and then once it's 19 determined to be a cyberattack, that's when we would 20 be brought in, but like I said, that really probably 21 wouldn't be identified until weeks later.
22 CHAIR HALNON: Okay, so you're looking at 23 a very discrete event that's sort of underneath the 24 radar because the physical impact is more important to 25 establish a stable shutdown plant?
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
109 1 MR. WARNER: Correct, the ops center 2 activates to make sure the plant gets into a safe 3 position and stays there, and then once the forensics 4 start getting on and figuring out what actually 5 happened, then we'd be called.
6 CHAIR HALNON: So, there's no scenario 7 that you can come up with that would require at least 8 a parallel, after an incident or during, while the 9 incident --
10 Because, I mean, just take something we 11 know the most about is Three Mile Island took several 12 days to get to the point where we were okay with it 13 from a stability standpoint. You don't see any 14 scenario that that aspect needs to be drilled through 15 the parallel interactions?
16 MR. WARNER: In that case, I could see us 17 being kind of brought in and brought up to speed if 18 there was some sort of evidence that seemed to 19 indicate that a cyberattack might have been 20 responsible.
21 CHAIR HALNON: Okay.
22 MR. WARNER: But even in that case, it 23 would really be awareness, because until we are 24 actually notified that something happened, we can't 25 really act on it. We do have site assessment teams NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
110 1 that can go out and help with that, and we're 2 obviously more than willing to provide that assistance 3 if it comes up, but --
4 CHAIR HALNON: Okay.
5 MR. WARNER: Yeah.
6 MEMBER MARCH-LEUBA: So, the CAT will be 7 involved in the postmortem if something like this 8 happens, in analysis of root causes and --
9 MR. WARNER: Yeah, once we get to a point 10 where they have a reasonable assurance that there is 11 a cyberattack involved, and then any reporting that's 12 made. There has not been an incident on a licensee, 13 NRC regulated system. Everything we've seen, and 14 again, we'll kind of go on it later, has been on the 15 business side.
16 (Simultaneous speaking.)
17 MEMBER MARCH-LEUBA: Most people -- Walt, 18 wait a moment. Most people think of cyberattacks as 19 millisecond response, and what I read is that when bad 20 guys penetrate a corporation, on average, they're 21 there for 90 days before they get discovered, so 22 that's where the CAT would come to figure out why they 23 got there and did we get rid of them? Walt wants to 24 go.
25 CHAIR HALNON: I think Brian was going to NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
111 1 jump in there.
2 MR. YIP: Yeah, this is Brian Yip, if I 3 could just add to that. Looking at the agency's 4 incident response program, we used to have a construct 5 where, on the security team, you would have physical 6 security experts and then also a single cybersecurity 7 expert that would sit on that team.
8 What we did in the past couple of years 9 working with the Division of Preparedness and Response 10 was instead set up all of the incident response 11 procedures where -- you know, as Dan mentioned, the 12 first indication that something's wrong is going to 13 manifest physically most likely.
14 So, while the incident response 15 organization is addressing the actual incident onsite, 16 if they have indications that the incident is cyber 17 related, it's built into their procedures to activate 18 the CAT and the CAT would serve as an advisor to them 19 and work in parallel so that we could address the 20 cyber issues as soon as they're identified in 21 coordination with the actual incident response.
22 CHAIR HALNON: Thank you. Walter?
23 24 MEMBER KIRCHNER: Thank you, Greg. I was 25 going to follow up on your question.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
112 1 Dan, do you -- does the CAT team look at 2 other incidents perhaps not at nuclear plants and just 3 do kind of an assessment of potential vulnerabilities 4 or that -- or reflect on your own programs based on 5 those incidents? And if that's the case, have you 6 made any changes to your guidance as a result of some 7 of the more recent events, whether it's the aquarium 8 or the clean water system in Florida, or any of those 9 attacks? Have you assessed those and then made any 10 changes to your program?
11 MR. WARNER: So we're on a number of 12 distributions such as like FireEye, which I think has 13 changed to a different name at this point. And then 14 like E-ISAC when they're basically reporting events 15 that are out there, vulnerabilities. So we are 16 looking at those and kind of keeping an eye on things.
17 In the grand scheme of things the NRC and 18 nuclear power plants are well ahead of the rest of 19 critical infrastructure as far as cybersecurity --
20 Ryan, chime in if I'm speaking wrong --
21 part of that being because we've had regulatory 22 authority since 2009 to enforce cybersecurity 23 protections where a lot of the other critical 24 infrastructure just don't have the authority to force 25 people to do things.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
113 1 And so in a lot of these cases we look at 2 things, but because of the architecture, because of 3 defense-in-depth and the way things are required, most 4 cases we don't have to worry. We're covered.
5 And, Ryan?
6 MR. BECHTEL: Yes, I'll just add that --
7 MEMBER MARCH-LEUBA: Say your name for the 8 record.
9 MR. BECHTEL: Oh, this is Ryan Bechtel 10 from DHS/CISA. Yes, I'll just add an echo to that 11 that the nuclear sector is pretty unique amongst the 12 16 critical infrastructure sectors in that it is so 13 well and heavily regulated. There are some sectors 14 that just simply don't have anything resembling a 15 regulatory structure that is seen here. So a lot of 16 nuclear tends to be the one that detects things first 17 amongst these sectors.
18 MEMBER KIRCHNER: Thank you.
19 MR. WARNER: So I mean stole my thunder a 20 little bit, but we'll go over the slides anyways.
21 So CAT is primarily activated by the Ops 22 Center in response to a licensee event, or it's under 23 10 CFR 73.77. Any reportable cyber event under 24 73.77(a) will trigger a notification to myself as the 25 CAT lead. There have been no 73.77 reports since the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
114 1 rule took event in 2015. There have been incidents 2 that have been on non-regulated licensee systems such 3 as corporate networks, but a CAT was not activated in 4 part due to privacy concerns.
5 Management, the CAT lead, or regional 6 staff can request the activation of the CAT based on 7 the information received from or about a licensee or 8 other industry cyber event, and we have activated to 9 leverage the process to assess non-licensee cyber 10 events.
11 And I think our next slide, if we could go 12 to it, kind of covers that. So this is based on a 13 real event. So I as the CAT lead was notified of an 14 incident involving the licensee's business network and 15 what is speculated maybe as a ransomware attack or 16 some sort of exfiltration of data.
17 I determined if the incident would have an 18 impact on NRC-regulated systems. If not, then no 19 further activation is needed. I'll work with the 20 chief of the Cybersecurity Branch. We determine if 21 any briefing documents for management need to be 22 prepared and if there's any courtesy notifications 23 that needed to be made to DHS/CISA.
24 If CISA notification is needed, contact is 25 made with the nuclear sector risk management agency NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
115 1 and the threat hunting groups to ensure awareness and 2 provide points of contact for any necessary follow up.
3 And basically this is the chain of events 4 that happened with a recent event. We made sure that 5 CISA was aware since it was not on an NRC-regulated 6 system and had impact for potential multiple 7 licensees. We wanted to at least ensure that they 8 were aware and this wasn't going to come as a 9 surprise.
10 DR. BLEY: This is Dennis Bley. This is 11 a minor point. On your last exfiltration, that seems 12 an odd word to me. Usually that's -- we exfiltrate 13 our troops or something or we get the data to go away.
14 You really mean just taking data from the place that's 15 been attacked, right?
16 MR. WARNER: Correct. Basically it's 17 somebody going in, taking data, and --
18 DR. BLEY: Okay.
19 MR. WARNER: -- pulling it out for 20 whatever use.
21 DR. BLEY: Maybe I'm thinking more 22 sinister here.
23 MR. WARNER: And then just to kind of wrap 24 things up, talking about more coordination. So the 25 DHS Threat Hunting Group has been receiving some NRC NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
116 1 training. Staff are working with staff from the DHS 2 Cybersecurity Division's Threat Hunting Team. They 3 are responsible for responding to cybersecurity 4 incidents at critical infrastructure facilities and 5 want to help familiarize them of nuclear technology.
6 They went down to the TTC down in 7 Chattanooga, which is our technical training center, 8 and they attended a course of R-105, which is nuclear 9 technology for security. Essentially a streamlined 10 version that gives all the highlights, but not a lot 11 of in-depth into physics and how reactors work and all 12 that fun stuff.
13 And then the same team will be visiting 14 Millstone just trying to get familiar with the 15 licensee facility. And they will also be 16 participating in a short class on radiation protection 17 later this year. That's all I got.
18 CHAIR HALNON: Does anyone have any 19 further follow up or questions?
20 Okay. Jorge, I think you're up.
21 MR. CINTRON-RIVERA: Good morning. Can 22 you pull up the slides for --
23 CHAIR HALNON: My sense is we've talked 24 around your presentation quite a bit. And once you 25 get we up -- well, once people see words on a screen, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
117 1 they tend to come up with new questions.
2 MR. CINTRON-RIVERA: Well, good morning.
3 My name is Jorge Cintron-Rivera. I work for the 4 Office of Nuclear Reactor Regulations, the Division of 5 Engineering and External Hazards in the Long Term 6 Operations and Modernization Branch. Along with me is 7 Singh Matharu. He's a senior electrical engineer, 8 previous point of contact for NRC and NERC 9 coordinations. And also joining me as well is Kenneth 10 See. He is the dam safety inspector officer in case 11 that we have any questions regarding to the safety 12 inspector program. And today I will be talking to you 13 about the NRC coordination with FERC and NERC.
14 Next slide, please? Just an outline for 15 the presentation. I will provide some purpose and 16 objectives of the presentation, the background, some 17 background information about how we develop some of 18 the documents that we have in place for communications 19 between the NRC, FERC, and NERC. We will talk a 20 little bit about the NRC and FERC requirements and 21 standards, a common interest, interagency agreements 22 and interactions, multiple of them like a Memorandum 23 of Understanding, the MOA, and the IEA between NRC and 24 FERC regarding safety inspection. We will also cover 25 NRC and FERC's jurisdiction boundaries and we will NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
118 1 provide some scenarios of coordinations that we have 2 had during the -- between agencies.
3 Next slide, please? So the purpose of our 4 objectives is to provide a briefing to the ACRS on the 5 governmental interactions for protecting the grid and 6 power conversion. We will need to familiarize with 7 the agreements that we have in place between NRC and 8 FERC and NERC to facilitate communications between 9 agencies. We will discuss the comparative roles 10 between the NRC, FERC, and NERC and discuss the 11 jurisdictions for each agency to protect the grid.
12 Next slide? Some background information.
13 The NRC, FERC, and NERC provides regulatory oversight 14 of protecting the grid. The most significant event 15 that influence the level of NRC and FERC coordination 16 occur in August 14, 2003 station blackout. This event 17 has been the largest powers outage in U.S. history 18 occurred in Northeastern United States and parts of 19 Canada.
20 Approximately 500 generating units 21 experienced shutdown that day including nine U.S.
22 nuclear power plants and seven Canadian nuclear power 23 plants. Nine of those U.S. nuclear power plants 24 experience reactor trips all happening within 1 minute 25 and 23 seconds of the event. The time to the full NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
119 1 power was available again to the U.S. nuclear power 2 plant stations ranged from one to six-and-a-half 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />. This power outage affected 50 million people 4 in the United States and Canada. This experience 5 highlights the need for formal agreements between the 6 NRC and FERC to ensure that there is sufficient 7 communications or coordinations.
8 9 So therefore this pretty much event 10 triggered the development of multiple MOUs and MOAs to 11 facilitate the coordination between agencies. Each 12 agency agreements has established the roles and 13 responsibilities for each agency and provide guidance 14 for the cooperative work through the events of 15 multiple interests.
16 Next slide, please?
17 CHAIR HALNON: Jorge, that event was --
18 now we're 20 years into it. And obviously the energy 19 of the organizations to get together and figure it out 20 right after those types of events are both internally 21 and externally induced to the point where there's a 22 fervor of activity. What gives us confidence that 23 that level of MOU and level of cooperation is still 24 the same level of intensity, if you will, given 25 today's environment 20 years later?
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
120 1 MR. CINTRON-RIVERA: So in terms of 2 ensuring we revise those documents certain amount of 3 time now is I think every five years. We do engage in 4 communication with FERC and NERC with different topics 5 during the year depending of some of the topics --
6 but, we do have communications between both agencies 7 and right now mostly we try to ensure that what we 8 have there is sufficient and if we need more 9 information.
10 I understand that, yes, it might seems to 11 be more like a reactive instead of active, but we --
12 after the Texas weather event I think we have engaged 13 more communication, talking to the regions and talking 14 with FERC to ensure that we are in constant 15 communication. As recently -- last year I think we 16 did a workshop to ensure that each agency knows their 17 roles and responsibilities. The staff as well. And 18 also we have invited FERC as well to talk about us 19 about their activities that they're doing related 20 to -- of common interest.
21 CHAIR HALNON: Okay. And I think there's 22 an annual NRC commissioner meeting as well, too, 23 that --
24 (Simultaneous speaking.)
25 MR. CINTRON-RIVERA: Correct.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
121 1 CHAIR HALNON: -- a touch point to make 2 sure --
3 (Simultaneous speaking.)
4 MR. CINTRON-RIVERA: It's usually 5 biennial. We had it last year, but then because of 6 the COVID the schedules were a little bit shifted. So 7 we're having it as well. It should be -- we are 8 working right now in the development of the setting of 9 the date with both commissions. And even it's going 10 to be this October.
11 CHAIR HALNON: Okay. So but typically 12 it's biennial?
13 MR. CINTRON-RIVERA: Biennial.
14 CHAIR HALNON: Okay.
15 MR. CINTRON-RIVERA: Correct.
16 CHAIR HALNON: Thanks.
17 MR. CINTRON-RIVERA: So NRC and FERC 18 common interest. The NRC and FERC have multiple 19 interests related to the nation's electrical power 20 grid reliability, nuclear power plant safety and 21 security. In summary, the NRC evaluates the design, 22 operation of nuclear power plants and electrical power 23 grid systems. FERC regulates the interstate 24 transmission of electricity and focus on the 25 reliability, integrity, security, and operation of the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
122 1 electrical power grid.
2 FERC also provides oversight on -- of 3 NERC. NERC's mission is to assure that the 4 effectiveness and efficiency of the risk and the 5 reliability of the security -- the grid is maintained 6 and develops and enforce reliability standards -- not 7 only assess the system on long-term reliability and 8 monitors that both power systems through the systems 9 awareness and educates, train and certify industry 10 personnel.
11 Next slide, please? Requirements of 12 standards for protecting the grid. The NRC evaluates 13 the design and operation of nuclear power plants and 14 electrical power grid systems. Some of the 15 requirements that we have in place for electrical 16 systems is General Design Criteria 17 which requires 17 that -- to maintain at least to independent circuits 18 from the off-site. 10 CFR 50.65 requiring for 19 monitoring and effective maintenance of nuclear power 20 plants. And we also have tech specs in place for 21 limited conditions of operations in case there is an 22 issue with the grid or a plant as well.
23 And we also issued the United Letter 2006-02 and 24 which is the agreement reliability and impact on plant 25 risk and reliability of the off-site power plants.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
123 1 FERC regulates the interstate transmission 2 of electricity. It focus on the reliability, 3 integrity, and security of operation of the bulk of 4 power systems and provides oversight over NERC. And 5 there's been some for sure the effectiveness for those 6 shown on the risk and liability. Develop the 7 standards on risk and long-term reliability and 8 monitors the bulk power awareness.
9 CHAIR HALNON: How does NERC enforce 10 reliability standards?
11 MR. CINTRON-RIVERA: So they have the 12 power to provide inspections of the grid to ensure 13 that each of the TSOs are meeting their reliability 14 standards. And those are coordinated between FERC and 15 NERC.
16 CHAIR HALNON: So they have an inspection 17 branch as well as a standards development --
18 (Simultaneous speaking.)
19 MR. CINTRON-RIVERA: Yes, mostly 20 concentrated on security and protection of the 21 systems.
22 CHAIR HALNON: Okay. Thanks.
23 Walt?
24 MEMBER KIRCHNER: Yes, I have a similar 25 question, Greg, on reliability.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
124 1 Overall robustness of the grid across the 2 nation to a large extent depends on stemming reserves.
3 As we retire coal plants, for good reasons related to 4 climate, we've taken a lot of the hardware or spinning 5 reserves so to speak and hence robustness of the grid.
6 How does NERC deal with the evolving composite parts?
7 We're probably going to get for example less energy 8 out of hydro with the impact of climate change, 9 especially out in the West where I am, et cetera.
10 There's reliability kind of on a piece/part level and 11 then there's reliability and robustness at a much more 12 national level going back to -- your Northeast 13 blackout slide is a good example.
14 So how does NERC's mission deal with that 15 aspect of maintaining the overall robustness and 16 reliability of the grid?
17 MR. CINTRON-RIVERA: So -- and, Singh, 18 feel free jump in if I miss something, but as part of 19 the requirements under -- or the development of the 20 reliability standards that they have each individual 21 TSO or ISO has to pretty much predict pretty much what 22 are the -- what are going to be the lows for each day 23 and any work or issue that is affecting the grid. So 24 therefore they usually have a estimate of reserve that 25 they have in place. If the reserve are -- grows not NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
125 1 be in -- within the limits of the standards, they have 2 to enter in communications with the operators to 3 ensure that there is no issues between the reserve of 4 the power systems.
5 So again, it falls more on the -- each of 6 the TSOs to ensure that there is enough capacity and 7 there is enough reserve to provide during the 8 operations of each day. And we -- previously we used 9 to issue a report every day of providing that 10 information on if there's going to be -- how many 11 reserve each of the TSOs have. We look in if there 12 was any sonar -- solar storms that could affect the 13 grid, all -- we used to do a report every day, but 14 because not many people in the agency were -- we were 15 not using it as much. We just rely right now on the 16 TSOs to ensure that they provide the informations and 17 communicate with each of the nuclear power plants in 18 case there is not enough reserves.
19 MR. MATHARU: Yes, this is Singh, Walt.
20 We don't have a good answer for you, let's put it this 21 way. The question is very valid. What we are doing 22 on the grid is two things: Like he said, we are 23 retiring some of the base load coal plants that we 24 had. In addition to that, we are now adding 25 renewables like wind power, which are not very NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
126 1 reliable either as far as maintaining grid frequency 2 because depending on the circumstances we could lose 3 a lot of generation.
4 The other challenge was after the breakup 5 of the monopolies that the utilities had the intent of 6 every TSO was to maximize their progress. So the 7 spinning reserves, as you know, cost money and 8 nobody's paying for them, as such. So we lost a lot 9 of reserve power that was just running as a spinning 10 reserve. So NERC and FERC have a challenge to meet 11 what you're asking, which is long-term planning of how 12 we're going to maintain reactor power especially 13 during challenging times.
14 But so far, like Jorge said, we are 15 managing. Going forward we don't have a good answer 16 for you.
17 CHAIR HALNON: I would just add that a lot 18 of the discussion surrounding the new reactors and the 19 load-following capabilities of those are kind of based 20 in this renewable aspect of, yes, high sun periods, 21 high wind periods and whatnot. And all this is kind 22 of factoring into their challenge of how do you manage 23 this when you really are not in control of what kind 24 of base load you're going to have, or what kind of 25 base load generation you're going might have.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
127 1 MR. MATHARU: Absolutely. In fact, there 2 were a lot of proposals where the transmission system 3 operators want to engage with controlling the nuclear 4 power plants. And like we discussed earlier on, we 5 were -- shied away from that.
6 MEMBER KIRCHNER: Thank you. It was a 7 leading question and I knew would be a difficult 8 answer.
9 CHAIR HALNON: Continue on, Jorge.
10 MR. CINTRON-RIVERA: So as I mention 11 before, the NRC, FERC, and NERC, we have multiple 12 agreements in place to ensure that all the information 13 that we share is properly handled. Currently with NRC 14 and FERC we have three agreements. We have one MOA 15 for liabilities, cybersecurity, and physical security.
16 We have the dam safety interagency agreement and the 17 security coal energy electrical infrastructure 18 information, or CEEII MOU. And also have NRC and NERC 19 MOU for security and physical security.
20 Next slide? The reliability, 21 cybersecurity, and physical MOA facilitates 22 interaction between the NRC and FERC on matters of 23 multiple interested related to the reliability of the 24 nation electrical power grid, of the nuclear power 25 plant safety and security. We added cybersecurity, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
128 1 physical protection, and emergency response. The 2 document provides guidance for sharing operational 3 events, information between the NRC and FERC and it 4 provides a agreement to coordinate activities relating 5 to cybersecurity and physical protection of share 6 critical infrastructure assets including sharing of 7 information on threats.
8 This MOU was issue as a response from the 9 2003 event and it has been recently revised in 2022.
10 It will be active until 2027 unless there is a 11 required change that triggers the revision of the 12 document.
13 MEMBER MARCH-LEUBA: So there is sunset on 14 the agreement on 2027, or that you plan to revise it?
15 MR. CINTRON-RIVERA: There is a 16 termination clause in the agreement.
17 MEMBER MARCH-LEUBA: It's a sunset?
18 MR. CINTRON-RIVERA: Yes, which we also 19 revised. Typically we used to go through a complete 20 revision of the document, but sometimes also the 21 information between -- coordination between both 22 agencies is still -- doesn't change as much. So right 23 now we have -- on 2027 if there is no changes needed 24 to the document, what we will do is to issue a memo 25 reissuing the previous MOA unless there is technical NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
129 1 changes that we need to provide in the document. Then 2 it will require a major change.
3 So typically we will start probably a 4 year-and-a-half since it's a multiple-agency document.
5 So they -- we pretty much -- we went through this 6 exercise last year and we pretty much got the input 7 from both agencies and then all the way to the --
8 (Simultaneous speaking.)
9 MEMBER MARCH-LEUBA: Certainly above our 10 pay grade, but you have to renew this -- as the 11 government shut down, one of these things that happen 12 regularly, it is best to keep it operational --
13 (Simultaneous speaking.)
14 MR. CINTRON-RIVERA: So some of the --
15 like the dam MOA -- or IAA, sorry, it doesn't have a 16 expiration date as well as the NERC/FERC MOU. Those 17 are in place until change is needed for adding more 18 information. As far as the CEII and the reliability 19 one, there has always been a termination clause. So 20 it might be something to consider as well later on for 21 revisions.
22 The dam safety interagency agreement, it 23 provide guidance to the NRC and FERC for implementing 24 the NRC Dam Safety Program. Pretty much FERC assists 25 the NRC by providing expertise to conduct inspections NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
130 1 at dams. SECY-91-193 established the NRC Dam Safety 2 Program Plan, which provides insurance of compliance 3 of federal guidance for dam safety.
4 Currently there are eight dams that are under 5 NRC jurisdiction. Seven of the dams are operating 6 power reactors. One of the dams is a uranium recovery 7 facility.
8 So typically there is a statement of work 9 developed for the planning and implementation of the 10 inspections of the safety dams, and that is handled by 11 our colleagues on the Dam Safety Program following the 12 IAA which was issue in 1992.
13 The CEII MOU is an agreement between the 14 NRC and FERC to ensure safety and security of the 15 electrical grid by protecting critical energy 16 infrastructure or CEII structures.
17 The NRC staff responsible for national 18 identifying information that maintains CEII and in 19 consultation with CE -- FERC's, sorry, CEII 20 coordinator. This MOU was issue in 2008 and it was as 21 well as re-signed in 2022 for a five-year extension.
22 Finally, the cyber and physical security 23 MOU between the NRC and FERC -- and NERC, sorry. It 24 establish the roles and responsibilities between the 25 NRC and NERC as they relate to the application of NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
131 1 their respective cyber and physical security 2 requirements for the protection of the assets in the 3 U.S. nuclear power plants. It focus in the prevention 4 of radiological sabotage and the reliability of the 5 bulk of the power system.
6 The MOU establishes inspection protocols 7 for each agency. Digital assets that can affect the 8 safety and security and the emergency preparedness 9 especially digital assets related to continued power.
10 It provide guidance for sharing all information to 11 carry out of the intent of the MOU and it was -- this 12 M O U w a s r e v i s e i n 2 0 1 5 .
13 14 CHAIR HALNON: Jorge, does this MOU 15 eliminate or prevent overlap in inspections? I mean, 16 is this the one that gave us the -- for lack of better 17 term, the line between what NERC looks at and what the 18 NRC looks it in a power plant?
19 MR. CINTRON-RIVERA: I don't believe it's 20 the MOU. It was mostly -- and, Dan, you can elaborate 21 on this.
22 MR. WARNER: Yes, I believe the MOA 23 between NRC and FERC is what really divided that line 24 and basically said, hey, you guys can regulate 25 everything within that first intertie of the breaker NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
132 1 a t t h e N R C f a c i l i t i e s .
2 3 CHAIR HALNON: Okay.
4 MR. CINTRON-RIVERA: This is just a 5 pictorical background of how each agency interacts and 6 along with each of the MOUs that we have in place. As 7 you can see on the top, we have FERC and the NRC with 8 three different agreements that we have in place as 9 well as NERC. Then FERC provides the oversight over 10 NERC. And then NERC implements the reliability 11 standards over the utilities.
12 And this is what we were just talking 13 about, the NRC and FERC jurisdictions. So this -- was 14 revised last year to encompass all that information.
15 So that's pretty much the line between the first 16 breaker and the switch yard all the way to the grid.
17 That's under FERC jurisdiction. And then from the 18 first -- from that point to the plant is under both 19 agency jurisdiction, however because of mutual 20 agreement the -- both agencies have agreed that NRC 21 will provide the oversight of those areas.
22 CHAIR HALNON: Back on the dam safety, 23 that's less cyber and more physical dams, is that 24 correct?
25 MR. CINTRON-RIVERA: I believe that's NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
133 1 correct.
2 CHAIR HALNON: And any cyber controls 3 would be picked up by the NERC process downstream of 4 -- because I mean, there certainly is a cyber element 5 to operating a dam as well, especially a hydro, but --
6 MR. CINTRON-RIVERA: Yes, when we talk 7 about that -- and, Kenneth, feel free to jump in --
8 when we talk about dams most of these dams that we are 9 -- under our jurisdiction are because they are the 10 ultimate heat sink of the plant. So therefore this is 11 -- maybe it doesn't have to be hydro or -- but it --
12 because is of the ultimate heat sink, that's why we --
13 they're our jurisdiction. And then FERC is the one 14 that provides assistance in performing those 15 inspections.
16 CHAIR HALNON: Okay. How about Keowee and 17 Oconee's emergency power system? I mean, that's very 18 unique and special. Do you have any -- you know 19 anything about how that coordination is taken care of?
20 MR. CINTRON-RIVERA: Kenneth, you're in 21 the line?quality 22 MR. SEE: Yes, that -- Oconee is not one 23 of the plants that we have in our Dam Safety Program.
24 I think the list I have -- I can just rattle it off 25 real quick, if you're interested.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
134 1 So it's North Anna, Harris, McGuire, 2 Catawba, V.C. Summer, Farley, and Comanche Peak, 3 though you should understand Oconee has got a great 4 deal of interest.
5 CHAIR HALNON: Those are the ultimate heat 6 sink dams basically?
7 MR. SEE: Yes, if I had time I'd give a 8 little presentation. To fall within the Dam Safety 9 Program they have to basically be I'm just going to 10 say an ultimate heat sink and they have to be of 11 certain size or volume. Certainly there are a number 12 of ultimate heat sink at nuclear power plants that are 13 smaller than the criteria to be defined as a dam. So 14 they are handled outside the Dam Safety Program, but 15 they are inspected by the agency. So it's a little 16 different.
17 CHAIR HALNON: Okay. And I would assume 18 that the plant technical specifications would pick up 19 where maintaining requirements and safety of the plant 20 from the standpoint of levels of lakes and whatnot, 21 just like at -- for instance V.C. Summer has a 22 separate pond for their emergency cooling system 23 ultimate heat sink.
24 MR. SEE: Yes, sir.
25 CHAIR HALNON: And that has a temperature NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
135 1 and level requirement in the tech specs.
2 MR. SEE: Yes, there are tech specs that 3 they have to meet. But you ask a very good question.
4 I wrote this down earlier listening to the -- are 5 there any cyber vulnerabilities to operating the 6 gates, because they do allow water in and out of these 7 ponds. Could there be a vulnerability there? That's 8 a question that I will be asking this summer when we 9 go out and conduct some inspections.
10 CHAIR HALNON: Okay. Yes, and it would --
11 certainly the physical -- that's -- you hit exactly 12 where my question was leading was into the --
13 MEMBER KIRCHNER: Yes, Greg, that's an 14 example that I was trying to raise earlier of an 15 important to safety.
16 MR. SEE: Yes.
17 CHAIR HALNON: Yes, I think there's 18 linkage that need to make sure were covered in the 19 programs. Thanks, Ken.
20 MR. SEE: No problem.
21 MR. CINTRON-RIVERA: So NRC coordination 22 with FERC and NERC. The NRC and FERC, the nuclear 23 regulatory policy coordinations. NRC consults with 24 FERC and NERC staff for transmission system status 25 when nuclear power plant requests informant's NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
136 1 discretion, for example. And we also exchange 2 information of interest during accidents affecting the 3 grid such as severe weather, dam safety inspection 4 coordinations, and EMPs.
5 So some of these -- one example that we 6 have that we recently engage in a lot of coordination 7 between the NRC and FERC was the 2001 Texas weather --
8 cold weather event from -- it was unprecedent cold 9 weather. Both of the sites remained safe during the 10 degraded grid conditions. And for Comanche Peak the 11 power plant shut down and proactively started on-site 12 emergency diesel generators to ensure that there is no 13 issues. And for South Texas Project 1 and 2 one of 14 the safety shut downs due to a frozen instrumentation 15 line.
16 MEMBER MARCH-LEUBA: So number one, this 17 was not a cyber issue. This was a weather issue, 18 right?
19 MR. CINTRON-RIVERA: It was a weather-20 related issue. I think was a winter storm that hit 21 the area of Texas and pretty much --
22 MEMBER MARCH-LEUBA: Yes, we're all 23 familiar with it.
24 MR. CINTRON-RIVERA: Okay.
25 MEMBER MARCH-LEUBA: I'm just making sure NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
137 1 we're talking cyber here.
2 MR. CINTRON-RIVERA: Yes, most of my 3 presentation is a broader -- not just specifically 4 for --
5 MEMBER MARCH-LEUBA: So this event is a 6 good driver and if it was a cyber issue. So did you 7 guys got with FERC into the control -- the emergency 8 operating center and monitoring the plant or were you 9 on the phone continuously or did you talk a couple of 10 weeks after the fact? How did it happen?
11 MR. CINTRON-RIVERA: From my perspective 12 it was after the event --
13 MEMBER MARCH-LEUBA: Yes.
14 MR. CINTRON-RIVERA: -- when all the 15 responses were issued. And then we pretty much 16 assessed what happened and how we handle the event.
17 And based on that we start communications with FERC to 18 ensure us what will be the next actions in terms of 19 the grid. The regional staff also contact us to 20 asking some questions as well.
21 MEMBER MARCH-LEUBA: The plant themselves 22 were mostly in contact with the region?
23 MR. CINTRON-RIVERA: Yes.
24 MEMBER MARCH-LEUBA: And FERC was an 25 afterthought?
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
138 1 MR. CINTRON-RIVERA: So the regions 2 contact us, let us know what was happening, their 3 concerns of the event. And we start communications, 4 me as a point of contact, which our -- my counterpart 5 can pretty much establish communications such as the 6 event and further actions that later on during the 7 year, during the time period.
8 MEMBER MARCH-LEUBA: Yes, because I'm not 9 a resident of Texas, but it could have one worse than 10 the way it did. So are there any lesson learned on 11 how we could have made it better or --
12 MR. CINTRON-RIVERA: So the FERC issued a 13 report, recommendations, which are still -- we are 14 soon going to be coordinating as well another meeting 15 to ensure what's the status of the implementation of 16 those coordinations. And, but yes, that -- as soon as 17 the event happen FERC performs studies and issue a 18 report. And it was communicated to us as well to --
19 two presentations in a workshop and later on for 20 Region IV.
21 MEMBER MARCH-LEUBA: Yes.
22 MR. CINTRON-RIVERA: Some of the -- most 23 of the recommendations are for the revision of these 24 NERC standards to address cold weather events, pretty 25 much will the critical infrastructure be able to NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
139 1 support those. And there is also some recommendations 2 that will be implemented later on that pretty much 3 relates to the challenges that the grid presented that 4 day, that -- during that winter event.
5 MEMBER MARCH-LEUBA: Okay.
6 MR. MATHARU: Yes, Jorge, this is Singh.
7 If I may interject a little bit here.
8 MR. CINTRON-RIVERA: Sure.
9 MR. MATHARU: Couple of things: Number 10 one, the region was in constant contact with the South 11 Texas and Commanche Peak during the cold weather event 12 from early because everybody was aware of the 13 challenging grid conditions.
14 And I think the other question was the 15 interaction between FERC and us and the plants. Texas 16 is kind of unique because it's not controlled by FERC 17 as such. It's not under their jurisdiction to a large 18 extent. The grid is controlled by an entity called 19 ERCOT. And they are an independent authority so they 20 have their own guidelines and regulations.
21 There is a clause within FERC requirements 22 that the ERCOT will try and maintain the voltage and 23 frequency requirements as put in by the standards, but 24 in essence ERCOT is an independent authority.
25 So we were negotiating between ERCOT, FERC, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
140 1 region, and the plant operators.
2 So to answer your question, yes, we were 3 on site, but we were not really -- FERC was not really 4 engaged as such during the event.
5 MEMBER MARCH-LEUBA: So I'm listening 6 here. I'm just offering this for comment. Is there 7 a hole in Texas and do we need an MOU with ERCOT?
8 MR. CINTRON-RIVERA: We are taking in 9 considerations that because the uniqueness of the 10 state on ERCOT. ERCOT is still subject to NERC 11 reliability standards, so some regulations from FERC 12 are not applicable because there not interstate 13 connections, but they still need to meet the 14 reliability requirements on following the FERC 15 standards.
16 MEMBER MARCH-LEUBA: Yes.
17 MR. CINTRON-RIVERA: But it's something 18 that we plan to started this questions with FERC.
19 Because of the uniqueness of ERCOT it might be -- I 20 know that it might be challenging in terms of 21 coordination of inspections since it's not FERC or 22 NERC. It's ERCOT that is performing those 23 inspections. We want to make sure that we have more 24 communications between the regions, regional staff and 25 ERCOT as well for these type of inspections.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
141 1 MEMBER KIRCHNER: I have a question. This 2 is Walt Kirchner. So three of the four units remained 3 online during this event. The ERCOT grid, if I 4 remember correctly, the capacity of wind alone is like 5 35 percent. Did you have trouble -- did the plants 6 have trouble -- I'm looking at your sub-bullet here, 7 they proactively started the emergency diesel 8 generators. So there probably were serious concerns 9 about loss of off-site power.
10 MR. CINTRON-RIVERA: Correct.
11 MEMBER KIRCHNER: Yes.
12 MR. CINTRON-RIVERA: For certain points of 13 the event the ERCOT presented issues with grid 14 reliability. There were some voltage frequency drops 15 in which the plants start communications with the 16 grid. And therefore what pretty much happen in that 17 ERCOT started load shedding so they can maintain the 18 grid stability, therefore not losing the power plants 19 as a base load.
20 MEMBER KIRCHNER: Right. Yes. As they 21 load shed, I'm just guessing in terms of -- we were 22 talking about reactor power. I'm not an electrical 23 engineer, but I've got the -- and my intuition is 24 telling me that these three units were keeping the 25 stability, the ERCOT grid likely.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
142 1 MR. MATHARU: That is correct.
2 MEMBER KIRCHNER: Yes. Okay. Thank you.
3 MR. MATHARU: So just to answer Walt's 4 question a little bit more, the issue with the Texas 5 grid was mainly related to gas power plants because 6 they did not protect the instrumentation and control 7 systems from the cold weather. The gas units started 8 shutting down or tripping off line. And even the 9 transmission network, grass transmission -- sorry, gas 10 transmission network was ineffective in getting the 11 gas to the right locations. So --
12 (Simultaneous speaking.)
13 MEMBER KIRCHNER: Well, right, and it's 14 dependent on electric, which is different than coal.
15 MR. MATHARU: Correct.
16 MEMBER KIRCHNER: I mean coal you have a 17 pile of coal, like a week's supply at the plant, 18 whereas you're relying on the gas line compressors 19 also that are electrically-driven.
20 MR. MATHARU: Absolutely. So it was a 21 cascading effect. And as a result of that the voltage 22 and the frequency was decaying and the transmission 23 system operator was trying his level best to maintain 24 reasonable parameters before the grid collapsed. And 25 there was a report that was published that stated that NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
143 1 they were like close to total blackout in Texas. I 2 think it was a question of minutes. And the nuclear 3 power plants did maintain some stability in the grid.
4 Yes, absolutely.
5 MEMBER KIRCHNER: Thank you.
6 CHAIR HALNON: Okay. I wanted to steer 7 this back towards cybersecurity again. Very 8 interesting event, but it really was meant to show the 9 coordination between the NRC and FERC. And that FERC 10 report, is that a -- that's a public report, I 11 assume --
12 MR. MATHARU: Correct.
13 CHAIR HALNON: -- that you mentioned?
14 Christina, can we get a copy of that?
15 MS. ANTONESCU: Yes.
16 CHAIR HALNON: That would be interesting 17 to see. That's good. Thank you.
18 Go ahead and finish up, Jorge.
19 MR. CINTRON-RIVERA: So this pretty much 20 is a summary of what -- the coordination that we did.
21 We had multiple meetings to identify the role of each 22 agency in Texas. As was -- we mentioned, ERCOT is a 23 ISO. It's an independent transmission system 24 operator. So we pretty much thought those were one of 25 the main questions that we have. What are its -- I NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
144 1 mean, for us this is clear, but what are -- was FERC 2 responsibility within ERCOT. As we mention, there is 3 a event report that was issued providing 4 recommendations. And we also hosted a workshop of the 5 event in which we had presentations related to the 6 bright line. We have NRC and FERC jurisdiction. And 7 so some other topics as well.
8 Next slide, please? In summary, the 9 agreement facilitates and continues cooperative 10 relations between the agencies. The agreement 11 provides an avenue for us to exchange experience, 12 information of data related to the gird. And the 13 agreements optimize stabilization of agency resources 14 and prevent overlap while allowing agencies to carry 15 out their respective responsibilities. That concludes 16 my presentation.
17 CHAIR HALNON: Thank you, Jorge. We're 18 going to be visiting Region IV in July and we'll pick 19 up the fragmented questions relative to the cold 20 weather event with the region and see how they 21 coordinated it.
22 So I didn't see Chris Brown on the line, 23 but, Larry, if you wouldn't make sure that goes onto 24 the ask list for our Region IV presentations during 25 our Subcommittee meeting there, I'd appreciate it.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
145 1 Any other questions for Jorge?
2 Okay. Thank you.
3 Ryan, I think you're going to close out 4 for lunch. How does it feel being the last person 5 before lunch?
6 MR. BECHTEL: No pressure, right?
7 CHAIR HALNON: No pressure. Go ahead.
8 MR. BECHTEL: I'm Ryan Bechtel from the 9 Department of Homeland Security, Cybersecurity and 10 Infrastructure Safety Agency, or CISA for short. I'm 11 representing today the Nuclear Reactors Materials and 12 Waste Sector sector management team within CISA.
13 CHAIR HALNON: Just real quick, Ryan does 14 not have any slides, so there's not going to be any 15 screen sharing for those of you online.
16 MR. BECHTEL: So I'm actually covering for 17 my colleague Dan McKenna, who's on leave this week.
18 So I will do my best to answer any questions that you 19 might have, but I might have to take some questions 20 for the record and get back to you if you need certain 21 specific pieces of information.
22 Today I'm largely going to be talking 23 about the partnership model between CISA and all the 24 other agencies, as well as the stakeholders within the 25 nuclear sector.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
146 1 So to start off under the National 2 Infrastructure Protection Plan there is a partnership 3 model which is -- establishes how federal, state, 4 local, territorial, and tribal agencies can coordinate 5 with each other and within critical infrastructure 6 stakeholder operators and owners in order to 7 furtherance the goal of improving security and 8 resiliency within all those respective sectors.
9 Again, I represent the nuclear sector.
10 And we have two parts within our partnership model.
11 One is the Government Coordinating Council, which 12 includes federal agencies as well as some state-level 13 groups. And then also the Sector Coordinating 14 Council, which represents the private sector side of 15 the nuclear sector. And then the SEC covers a wide 16 variety nuclear power plant operators as well as 17 radioisotope nuclear material providers and users, and 18 also research reactors.
19 So within the GCC it's made up of many 20 federal agencies including Department of Homeland 21 Security and all its sub-components including CISA, 22 Coast Guard, Customs and Border Protection, amongst 23 many others. There's also the Department of 24 Transportation, the Department of Justice, including 25 the FBI, Department of Energy, and of course the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
147 1 Nuclear Regulatory Commission, which is a very active 2 member within the GCC. Probably have I would almost 3 say hourly if not daily -- I'm sorry, daily if not 4 hourly contacts with somebody within the NRC just 5 going over the various odds and ends of daily 6 operations within the nuclear sector.
7 So my office -- I should say CISA acts as 8 the sector management resource agency within --
9 discharges those duties for the Department of Homeland 10 Security. And we are the ones that facilitate 11 coordination and collaboration between the private 12 sector and the public sector within the nuclear 13 sector.
14 So just to go over some examples of things 15 that we work on for collaboration between the nuclear 16 sector, specifically CISA, and the NRC, we work very 17 closely together within the Nuclear Government 18 Coordinating Council in order to improve communication 19 and coordination amongst -- between the two agencies.
20 NRC is a very active member. They're involved in 21 almost all of our sub-councils and working groups.
22 Amongst the sub-councils the biggest one for here 23 would be the Cyber Sub-Council. Dan McKenna, who 24 again could not be here today, he is the co-chair of 25 that Cyber Sub-Council. We also have one for research NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
148 1 and test reactors and one for radioisotopes.
2 For working groups there is the Private 3 Sector Transportation of Spent Nuclear Fuel Working 4 Group, which is a pretty active one, which NRC is the 5 vice-chair for that working group. And then there's 6 also a few other working groups which -- specific just 7 to the nuclear sector which are under development.
8 There's also some larger working groups 9 that are outside of not just the nuclear sector, but 10 also all the other 16 critical infrastructure sectors.
11 And the biggest one that I can think of would be the 12 Countering UAS -- UAS is, depending on your 13 definition, either unmanned aerial system or 14 uninhabited aerial systems -- Working Group, and that 15 deals with the -- and that working group specifically 16 is talking about how to deal with the threats and the 17 environments that UASs operate within.
18 So one of the ways that we facilitate 19 coordination within the nuclear sector is we hold 20 quarterly meetings between the Nuclear Government 21 Coordinating Council and the Nuclear Sector 22 Coordinating Council. Every quarter -- the next one 23 I think is in three or four weeks. It's in early 24 June. And at these meetings we have discussions that 25 are usually topical going over ways to improve NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
149 1 security or best practices, but also on the outskirts 2 of those meetings there are classified threat 3 briefings.
4 Typically DHS will host -- DHS always 5 hosts those, but we'll bring in speakers from within 6 different parts of DHS or other agencies to talk about 7 topical or necessary matters related to security that 8 we think would be necessary to share amongst all the 9 industry stakeholders, industry and government 10 stakeholders. NRC is also involved with those and has 11 occasionally provided some speakers for those 12 meetings, but they're always involved in those threat 13 briefings.
14 I specifically talked about the classified 15 threat briefings. We do also have monthly threat 16 briefings, unclassified threat briefings, but those 17 are not specific to the nuclear sector. They do cover 18 threats to all critical infrastructure. They're not 19 handled by my office, but they're handled within my 20 division.
21 Let's see. Just making sure I'm 22 covering --
23 MEMBER BROWN: Can I ask you a question?
24 MR. BECHTEL: Yes.
25 MEMBER BROWN: You talk about threat --
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
150 1 I've forgotten the other word that went along with 2 threat. You're talking about all the threats that 3 could come in, cyber threats could come in?
4 MR. BECHTEL: Cyber and physical threats.
5 MEMBER BROWN: Okay. We're talking about 6 cyber today. How do you connect -- I'm trying to 7 figure out how you connect and let NRC know that 8 there's something -- or the rest of the electrical 9 grid operation system that could impact nuclear power 10 plants. How is that done. I mean, do you all have 11 this intelligence gathering set and then every day you 12 have a download or this is important, this is not, 13 or --
14 MR. BECHTEL: There's different tiers of 15 it. So there are -- so as threats do emerge, it is 16 posted -- sorry, the acronym escapes me right now --
17 on the CISA website as announcing here's threats that 18 have come in and what you need to be aware of. And 19 that's continuous. There are some things; and I'm 20 speaking right now at the unclassified level, where 21 we'll send out emails or notices for widest 22 distribution letting our stakeholders know, hey, this 23 is out there. You should be aware of it. And we 24 probably send out something like that every other day, 25 but --
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
151 1 MEMBER BROWN: But emails -- I mean, if 2 you --
3 MR. BECHTEL: It's by email. But that's 4 the more --
5 (Simultaneous speaking.)
6 MEMBER BROWN: Doesn't anybody ever use 7 the phone to say, hey look, there's something going on 8 right now?
9 MR. BECHTEL: Oh, yes.
10 MEMBER BROWN: Get off your chair and go 11 do this or is there a protocol for how you -- the 12 level at which the communication is taken? I mean, I 13 get emails all the time --
14 MR. BECHTEL: Right.
15 MEMBER BROWN: -- or I get a text or 16 whatever it is, but if I'm not looking at them or I'm 17 doing something else, then you can miss it. And if 18 there's something important, a real vital threat that 19 comes up, seems to me the right place to voice --
20 MR. YIP: Ryan, I could take that.
21 MR. BECHTEL: Yes.
22 MR. YIP: This Brian Yip. So I can use 23 some real-life examples over the past couple years for 24 some of the more significant vulnerabilities and 25 threats that we've seen. One of them I want to say NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
152 1 was almost two years ago at this point related to the 2 BlackBerry QNX real-time operating system. The 3 government became aware of a vulnerability related to 4 that system. And we had interagency engagement for at 5 least a month or two leading up to the disclosure of 6 that vulnerability to the cybersecurity community.
7 There was again interagency engagement to 8 ensure that we distributed that information to all o 9 four concerned entities. With the NRC we coordinated 10 directly with CISA to ensure that we drafted and 11 released a security advisory, which is one of our 12 generic communications, coordinated to be released on 13 the same day that CISA disclosed the vulnerability 14 along with the vendor.
15 We took a similar approach with the start 16 of the war in Ukraine going back a little over a year 17 ago when CISA stood up its Shields Up Campaign to 18 start getting people more aware of potential Russian 19 cyber threats. And we issued a security advisory 20 related to that.
21 There was also -- we didn't potentially 22 see much impacts with the nuclear power plants, but 23 going back maybe three years at this point there was 24 a significant vulnerability with Microsoft Exchange 25 server. We issued a security advisory in coordination NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
153 1 with CISA on that, too.
2 MEMBER BROWN: Was that email? Text?
3 MR. YIP: So it's on the NRC website and 4 then it gets distributed to each licensee either by 5 email or to the control room. I'm not exactly sure of 6 the distribution mechanism.
7 MEMBER BROWN: How does a hair-on-fire 8 communication get done? That's where I'm -- that's 9 what I'm on the substance of the immediate threat 10 that's coming in and, my God, we got to tell everybody 11 now and how do you get their attention? Is there a 12 little alarm bell in a control station somewhere that 13 says --
14 MR. YIP: There is.
15 MEMBER BROWN: -- hey look, go look at 16 this because there's a hair-on-fire -- I don't have 17 any hair, but some people do.
18 MR. YIP: If we need to make an immediate 19 notification, we have the ability to contact the 20 control rooms using the Emergency Notification System 21 telephones. We can do that.
22 MEMBER BROWN: Okay. Just there --
23 MR. YIP: Yes, there is a way.
24 MEMBER BROWN: Okay. Thank you.
25 MR. BECHTEL: So I think that actually NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
154 1 covers most of it. So yes, when we -- most of it does 2 go out through email. I think there's been a few 3 cases where we have called people for something that's 4 particularly urgent just to make sure that certain 5 principals are in attendance for pop-up meetings that 6 might occur. Brian already mentioned a few examples 7 of that. There's a few others that have come up. And 8 again, this isn't specific to the nuclear sector, but 9 to all the critical infrastructure sectors. That some 10 major world event happens. We need to get everyone on 11 a call. And we're talking 2,000 or 3,000 people for 12 a briefing at the end of the day. And that's when 13 we'll either email or call them specifically to make 14 sure the principals are involved in that.
15 During the early days of CISA there were 16 meetings amongst all the critical infrastructure 17 sectors weekly to see -- to take a pulse, figure out 18 what was going on and see what needed to be worked 19 immediately. Does that help answer?
20 MEMBER BROWN: Yes.
21 MR. BECHTEL: Okay. Yes, so just going 22 through my notes, I believe I've covered everything.
23 Sorry. One other thing is there was a law passed last 24 year which dealt with cyber incident reporting and 25 CIRCIA. That process is still ongoing within CISA NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
155 1 right now on what that will look like, but NRC and 2 other nuclear sector members have provided feedback 3 explaining what they would like to see that goes into 4 that process.
5 Right now, as Dan alluded to earlier, it's 6 -- NRC is usually one of the first people that gets 7 notified. And then NRC or FBI would then notify CISA 8 on certain types of incidents. But the CIRCIA is 9 applying to all -- across all the critical 10 infrastructure sectors.
11 CHAIR HALNON: I have a couple questions.
12 And these can be short yes/no-type things.
13 Does CISA have connections to the private 14 industries as well?
15 MR. BECHTEL: Yes.
16 CHAIR HALNON: Okay. So you go direct to 17 the private industries if you have information needed 18 to --
19 (Simultaneous speaking.)
20 MR. BECHTEL: Yes.
21 CHAIR HALNON: Are you guys mainly a 22 coordination clearinghouse-type organization rather 23 than like a response resource perspective? Or maybe 24 the better question is what other resources do you 25 have other than the coordination and information NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
156 1 clearinghouse?
2 MR. BECHTEL: So my office is specifically 3 the coordination and information clearinghouse. There 4 are other parts of CISA that take more active roles 5 like threat hunting and that sort of thing.
6 CHAIR HALNON: Okay. I know it's a pretty 7 young organization so finding that --
8 MR. BECHTEL: Yes, the agency is a little 9 over three years old, but we historically were part of 10 DHS Proper.
11 CHAIR HALNON: Okay. So it just brought 12 those under an umbrella and named it?
13 MR. BECHTEL: I call it a nameplate 14 doxology sort of things just -- there was an act that 15 just split out one MPPD, or IP -- Office of 16 Infrastructure Protection -- and then through some 17 doxology made it into CISA.
18 CHAIR HALNON: Do you have a, for lack of 19 a better term, five-year plan to expand to your role 20 or is it pretty much set where you're at right now?
21 MR. BECHTEL: Within my office or within 22 CISA as a whole?
23 CHAIR HALNON: Well, your office and CISA.
24 I would say just --
25 (Simultaneous speaking.)
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
157 1 MR. BECHTEL: CISA certainly yes. Within 2 my office we're a pretty mature agency.
3 CHAIR HALNON: All right.
4 Anyone else have any questions?
5 Charlie?
6 MEMBER BROWN: If you have a cyber threat 7 come in, an immediate -- somebody's attacking our 8 infrastructure, where is the defensive action taken?
9 How do you get people to come in and stop it as 10 opposed to just informing everybody that they're about 11 to go down? I didn't mean that negatively, but I'm --
12 that's kind of the thought process. I'm thinking here 13 we've got somebody -- all of a sudden we've got a 14 foreign threat or an internal threat that's -- they're 15 getting -- bang, bang, bang, they're trying to get in 16 and they have gotten in and all of a sudden you need 17 people to say get on this and close it out. How do 18 you stop an attack, or do you --
19 MR. BECHTEL: I'm not really the right 20 person to answer that question.
21 Brian, you're --
22 MR. YIP: Yes, Brian Yip. That would be 23 the Threat Hunting Group that Ryan mentioned, and also 24 Dan mentioned in his presentation. They have the 25 capability. And we have engagement with them. They NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
158 1 have the capability to actually go on site and assist 2 a licensee or some other critical infrastructure --
3 MEMBER BROWN: That's too late then. I 4 mean, when you say go on site, you mean they hop on a 5 plane and fly to the site? By then they're 6 compromised.
7 MR. YIP: I mean, I don't know what their 8 standard operating procedures look like, but --
9 CHAIR HALNON: Charlie, I would say that 10 each utility -- I mean, the program we've heard this 11 morning is preparation and protection, but the 12 utilities have a response team as well. And I think 13 it gets down to you take care of the nuclear reactor 14 first --
15 MEMBER BROWN: I got that.
16 CHAIR HALNON: Yes, and in the parallel 17 with that, while you're responding to that you're 18 communicating to get -- be proactive outside of that.
19 But I'm going from my experience that you have a CRT, 20 a cyber response team on site that is like an 21 emergency response team that takes care of that. And 22 part of that is communication what they're dealing 23 with. And part of this is 73 boarding part that you 24 used to mention, but it's also just 50.72 as well.
25 DR. BLEY: Hey, Greg?
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
159 1 CHAIR HALNON: Yes, go ahead, Dennis.
2 DR. BLEY: The questions are getting 3 awfully close to things that probably don't belong in 4 a public meeting. You're probably watching that 5 carefully. Just wanted to mention it.
6 CHAIR HALNON: Yes. Thanks, Dennis. This 7 is all part of the cyber plans that are not -- I mean, 8 I understand where you're going.
9 But nevertheless, there's parallel actions 10 going on in addition to the cyber response.
11 MR. YIP: Yes, that's exactly right.
12 CISA's capability is -- at least for the nuclear 13 sector is a supplement to what we already require 14 through the Cyber Security Plans.
15 MEMBER BROWN: My thought was just you've 16 got a plant, you've got operators, all of sudden they 17 see some systems are all of a sudden not operating 18 under their control. What do you do?
19 MR. YIP: Well, that's --
20 MEMBER BROWN: I mean, is there a --
21 (Simultaneous speaking.)
22 MR. YIP: I think they're on site, yes.
23 MEMBER BROWN: Oh, you've got on-site 24 teams that would say hold it, we respond to this, and 25 then go take action? So that's part of this overall NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
160 1 set-up? And I hadn't heard that before and that's 2 what I was looking at. Who takes immediate action as 3 you start losing control.
4 CHAIR HALNON: Yes, I think the industry 5 is pretty deep in that area. Take it very seriously 6 and they're really -- from my experience did a really 7 good job of making sure that they're at the line ready 8 to go if they need to be.
9 MEMBER BROWN: Okay. All right. Thank 10 you.
11 CHAIR HALNON: Other questions on this?
12 DR. BLEY: Well, Greg, I'm not sure who 13 I'd address this to. A lot of the kind of things 14 Charlie was just talking about are things that could 15 happen because of mechanical failures like problems 16 with instrument error or instrument AC, as well as 17 cyberattack. And how one discriminates seems pretty 18 tricky to me.
19 CHAIR HALNON: It is. And I would just 20 say that when I was in the control room, Dennis, we 21 dealt with the issue at hand and then -- and we talked 22 about post-mortem in the past, that if it was caused 23 -- we asked the question could this be a cyberattack?
24 And when we asked that, if that question was answered 25 either I don't know or yes, we engaged with the NRC NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
161 1 and it went -- blossomed from there. So that question 2 was always asked. When you're actually in it I think 3 you deal with the issue at hand. I don't know if 4 you're -- you're not trying to necessarily stop a 5 cyberattack because you don't know if it is or not.
6 DR. BLEY: Yes, that's what --
7 CHAIR HALNON: That's my experience 8 anyway.
9 DR. BLEY: Yes. The last time I was in a 10 plant these issues of cybersecurity weren't even 11 coming up.
12 CHAIR HALNON: Right.
13 DR. BLEY: So it's -- didn't know how they 14 were actually handling that.
15 CHAIR HALNON: Go ahead, Vicki.
16 MEMBER BIER: One other comment, just 17 clarification or background for people is that I think 18 most computer systems would also have electronic 19 intrusion detection that would be automatic or near 20 instantaneous if something suspicious is observed, 21 that certain actions are taken automatically. And of 22 course as Jose will tell you, that will only work for 23 the threats that you can anticipate well enough to 24 code in. But a significant fraction of things are 25 probably caught that way.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
162 1 CHAIR HALNON: Other comments/questions?
2 Okay. We're right exactly on schedule, so 3 we're going to recess for lunch. We will reconvene at 4 1:00 Eastern Time. Thank you.
5 (Whereupon, the above-entitled matter went 6 off the record at 12:00 p.m. and resumed at 1:00 p.m.)
7 CHAIR HALNON: Welcome back, everybody.
8 I want to continue with the Subcommittee on 9 Cybersecurity and give that back to the staff, so you 10 guys are up.
11 MR. GARCIA: Do a sound check, can you 12 hear me okay?
13 CHAIR HALNON: Yes. Point it right at 14 your mouth.
15 MR. GARCIA: Hi, my name is Ismael Garcia.
16 I'm from the Office of Nuclear Security and Incident 17 Response at the NRC. I want to thank the ACRS 18 subcommittee the opportunity to present this afternoon 19 to give you a high-level overview of the efforts being 20 taken by the staff to develop a cybersecurity and 21 regulatory framework for advanced reactors.
22 For intent of this briefing, just to give 23 you a high-level overview of the work, that is, we are 24 doing, but the key takeaway, the key message is it's 25 a lot of work out of us we have developed, staff has NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
163 1 developed a framework in the form of regulations and 2 the draft regulatory guidance, which was included in 3 the Part 53 rulemaking package that's being reviewed 4 by the Commission.
5 So we're still waiting for the commentary 6 process by the Commission to be able to address those 7 and subsequently if the package is approved, then 8 comments will be received in the public review 9 process. But again, it's a lot of work still ahead of 10 us.
11 Next slide, please.
12 The current proposed advanced reactors 13 involve diverse technologies, and these have a unique 14 set of functions and systems that support both nuclear 15 safety and security. To address the challenges in 16 there, cybersecurity, as I mentioned, the NRC staff is 17 developing a risk-informed, performance base that 18 includes the regulation and associated regulatory 19 guidance.
20 For the first part of the presentation, 21 I'll be discussing at a high level the development of 22 the cybersecurity requirements for advanced reactors.
23 And then for the second part, I'll discuss the 24 companion regulatory guidance development efforts.
25 But please know that all information I'll be NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
164 1 discussing in this presentation is predecisional, 2 because as I said, the Commission is still reviewing 3 the Part 53 rulemaking package which includes the 4 cybersecurity requirements and necessary guidance.
5 Next slide, please.
6 To kind of recap what Dan Warner covered 7 this morning, the cybersecurity requirements for the 8 legacy power reactors are found in 10 CFR 73.54, which 9 is titled Protection of Digital Computer and 10 Communication Systems and Networks. And these 11 requirements are based on the function assets perform.
12 Specifically, licensing must protect assets necessary 13 with safety, security, and emergency preparedness 14 functions and support system, which is compromised to 15 adversely impact safety, security, and emergency 16 preparedness functions.
17 The licensees must ensure the systems are 18 protected from cyberattacks up to and including a 19 design basis threat or DBT, which is defined in 10 CFR 20 73.1.
21 CHAIR HALNON: Go ahead.
22 MR. GARCIA: So March 1st, 2022, the staff 23 provided the proposed Part 53 rulemaking package for 24 the Commission for approval of the SECY 23-0021, which 25 is publicly available. The Part 53 rulemaking package NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
165 1 provides an option for the reactor licensee to either 2 implement the cybersecurity requirements in 73.54 or 3 the cybersecurity requirements documented in Part 4 73.110, which is titled Technologically Inclusive 5 Requirements for Protection of Digital Computer 6 Communication Systems and Networks.
7 The new cybersecurity requirements will 8 implement a greater approach based on the consequences 9 determining the level of cybersecurity protection 10 required for digital computer and communication 11 systems and network technologies.
12 The greater potential consequences 13 intended to facilitate risk-informed approaches 14 results in insights for a wide range of reactor 15 technologies to be assessed by the NRC staff. The 16 proposed rule recognizes that the most significant 17 role that may be played by digital computer and 18 communications systems for future reactor designs and 19 the proposed rule also leverage the operating 20 experience and lessons learned from the power 21 reactors' implementation or the current cybersecurity 22 requirements.
23 Next slide, please.
24 So this slide provides a high-level 25 overview of the cybersecurity regulations or NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
166 1 regulatory framework defined in 10 CFR 73.110 that 2 require a licensee to protect systems associated with 3 functions such as those dealing with safety, security, 4 and emergency preparedness. Using a greater approach 5 for implementing the cybersecurity program in a manner 6 that is commensurate with the potential consequence 7 from a cyberattack.
8 The proposed rule will allow scaling the 9 design implementation of the cybersecurity program at 10 a given advanced reactor design while ensuring 11 adequate cybersecurity posture. The first consequence 12 shown in this slide deals with radiological sabotage, 13 with scenarios where a cyberattack adversely impacts 14 the functions performed by these assets, which may 15 lead to off-site radiation doses that will endanger 16 health and safety of the public by exceeding the 17 established criteria defined in Part 53.
18 The second consequence shown in this slide 19 deals with physical intrusion or scenarios where a 20 cyberattack adversely impacts the functions performed 21 by these assets used to maintain physical security of 22 radioactive material that could be at the facility.
23 So let me put out an example to better 24 explain the concept behind the proposed cybersecurity 25 regulatory framework. So let's assume that the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
167 1 outcome and cyber assessment performed by a licensee 2 for a given advanced reactor design reveals that a 3 potential cyberattack will result in the consequence 4 listed in the rule and the implementation of a 5 cybersecurity program will need to address the 6 cybersecurity controls required for protecting against 7 such a cyberattack.
8 On the other hand, if the outcome of the 9 cyber assessment performed by a licensee for a given 10 advanced reactor design reveals that a potential 11 cyberattack would not result in the consequence listed 12 in the rule, then the implementation of the 13 cybersecurity program requirements will be minimized.
14 So such an outcome from a cyber assessment will be 15 indicative that the reactor design can demonstrate an 16 adequate cybersecurity posture without the need to 17 implement additional cybersecurity controls.
18 So while the licensee will still be 19 required to implement a cybersecurity program, it will 20 only need to address requirements such as those 21 dealing with analyzing modification to any assets 22 before implementation to see the design will still 23 demonstrate adequate protection against cyberattacks.
24 CHAIR HALNON: So Ismael --
25 MR. GARCIA: Yes.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
168 1 CHAIR HALNON: A quick question. The 2 risk-informed piece is aimed mainly at the consequence 3 of those two items, radiologic release and the 4 security of special nuclear material essentially, 5 correct?
6 MR. GARCIA: That's correct.
7 CHAIR HALNON: Given our discussion this 8 morning with the bulk electric system, does that enter 9 into that equation anywhere relative to the integrity 10 of the grid as well? Or is it only looking at what we 11 just talked about?
12 MR. GARCIA: At this point, based on --
13 thank you for that question, at this point, based on 14 this version of the rule, these are the only two 15 consequences listed, but we recognize there will be 16 other consequences that will be listed in the rule.
17 That's one of the areas we're going to be seeking 18 feedback if the Commission approves the rulemaking 19 package to see what any additional consequences should 20 be factored into the framework.
21 CHAIR HALNON: So the disconnect in my 22 mind that's occurring is that -- and I don't know if 23 it's a problem, I'm just saying it feels like a 24 disconnect, if you have a -- inside the nuclear plant, 25 you have some pretty important components, but they NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
169 1 won't lead to the off-site dose. May lead to a 2 problem with the core, but not to an off-site dose 3 issue.
4 The cybersecurity controls on that 5 component or those series of components may be less 6 than you might put on something in the switchyard, 7 which could only cause maybe a grid issue. So unless 8 we put that same cyber controls across the board, you 9 may have an unbalanced cyber program. In other words, 10 a very deep cyber program for things beyond the 11 breaker, but maybe not so necessary because of the 12 inherent safety features of some of these advanced 13 reactors.
14 Am I making sense on that question, the 15 imbalance that I can see occurring? Because if you're 16 going to go into the CYP rules that require -- what we 17 presently see as cyber controls on bulk electric 18 systems, yet we're risk informing inside the nuclear 19 plant, you could have actually a small, less intense 20 cyber program inside the nuclear plant and you might 21 have your bulk electric system -- I'm not sure if I'm 22 making sense, but that's the disconnect I'm seeing in 23 this.
24 So I guess the question is is the same 25 constant going to be pushed over into the impact of NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
170 1 this bulk electric system?
2 MR. GARCIA: Thank you for that question.
3 One thing we need to do going forward is, you know, 4 with FERC and other agencies as we continue to develop 5 this framework, based on the presentation this morning 6 --
7 CHAIR HALNON: On the punch list to do --
8 MR. GARCIA: Yeah, so you could add this 9 in a to do list as we move forward.
10 CHAIR HALNON: That makes sense. I mean 11 we're still early on, and you're working with a lot of 12 hypotheticals at this point.
13 MR. GARCIA: At this point, basically, 14 yes. That's one of the things we need to do going 15 forward.
16 CHAIR HALNON: Thank you.
17 MR. GARCIA: So as part of the proposed 18 regulatory framework, as I mentioned, licensees will 19 need to perform analysis, assess the potential 20 consequences resulting from cyberattacks, identify 21 those assets that need to be protected, and also 22 establish, implement, and maintain a cybersecurity 23 program as defined in the cybersecurity plan to 24 protect the assets identified by a planned defense-in-25 depth approaches like the ones that Dan discussed this NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
171 1 morning to ensure the ability to detect, delay, 2 respond, and recover from cyberattacks capable of 3 causing the consequences defined in the rule.
4 In addition, a licensee will need to 5 implement cybersecurity controls commensurate with the 6 safety and security significance of those digital 7 assets.
8 Next slide, please.
9 Now we will discuss the efforts the staff 10 is planning to support the development and the 11 companion guidance to allow Part 53 licensee implement 12 the cybersecurity requirements that I just went 13 through.
14 Next slide, please.
15 So the NRC staff, with the support of the 16 cybersecurity experts from the Sandia National Lab, 17 have been taking efforts to develop a regulatory guide 18 to provide a commercial nuclear power reactor on their 19 Part 53 license with an acceptable approach to 20 implement the requirement, the cybersecurity 21 requirements in 10 CFR 73.110.
22 This guidance, documented in DG-5075, 23 which eventually will be known as Reg Guide 5.96, 24 entitled Establishing Cybersecurity Programs for 25 Commercial Nuclear Power Plants Licensed under 10 CFR NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
172 1 Part 53.
2 This Draft Reg Guide was included as a 3 reference, along with the ADAMS accession number in 4 SECY 23-0021. The Draft Reg Guide will provide an 5 example method that applies risk-informed, 6 performance-based, and technology-inclusive approach 7 to account for the different commercial nuclear power 8 plant technologies licensed under Part 53 to 9 demonstrate protection against a potential 10 cyberattack.
11 CHAIR HALNON: But does it have to be 12 solely under Part 53, or could it just be an advanced 13 reactor? Because some of these, like the Army's, we 14 just did under Part 50. So I mean, is there something 15 special about Part 53 that causes you to limit this 16 Reg Guide to only Part 53?
17 MR. GARCIA: Thank you for that question.
18 Right now, we're developing to support the Part 53 19 framework, but some of the questions that we have even 20 during the development of the cybersecurity 21 requirements is like, hey, perhaps a light water 22 reactor commercial nuclear power plant can apply those 23 requirements. Nothing will prevent them from doing 24 that. So right now our focus is to support the Part 25 53 effort, but one can make a case at the end that NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
173 1 either Part 53 maybe to use that guidance as well.
2 CHAIR HALNON: We made the same comment 3 for Reg Guide on the alternative evaluation of risk 4 process. It looks like it could be expanded beyond 5 Part 53, if it's really good to use, the new 6 technology may not necessarily all be licensed under 7 Part 53.
8 Same comment, could look at maybe making 9 it broader?
10 MR. GARCIA: Yes. Thank you for that 11 comment, so yes, some of the concepts I'll be 12 discussing in the guidance could be applicable 13 relative to a commercial nuclear power plant light 14 water reactor versus non-light water reactor.
15 So this Reg Guide, Draft Reg Guide will 16 describe, among other things, elements required in a 17 cybersecurity plan, including a template of how to 18 develop a cybersecurity plan, the different 19 cybersecurity controls that need to be applied by a 20 licensee, and it leveraged information from Reg Guide 21 5.71 that the ACRS got a chance to have some meetings 22 on this topic on this Reg Guide titled Cybersecurity 23 Program for Nuclear Facilities, which again was 24 developed for the commercial nuclear power reactors.
25 The Reg Guide also leveraged information NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
174 1 from IAEA and IEC documents on cybersecurity. And 2 again, pretty soon that the guidance documents will be 3 made publicly available if the Commission approves the 4 proposed rulemaking package.
5 Next slide, please.
6 Some other technical areas the Draft Reg 7 Guide will document and approach to determine the 8 level of cybersecurity protection required against 9 potential cyberattack, which will be based on a three-10 tier approach to analysis of the facility and at the 11 function and at a system level. So basically, a top-12 down kind of approach.
13 At the facility level, the intent of the 14 analysis will be to rely on existing security and 15 safety assessments to determine whether a plant's 16 design basis and existing physical protection system 17 are sufficient to effectively prevent the potential 18 consequences from a cyberattack.
19 At the functional level, the intent of the 20 analysis is to develop adversary functional scenarios 21 to understand the adversary's access to attack 22 pathways that could allow the compromise of regular 23 plant functions resulting in unacceptable consequences 24 defined in the rule.
25 The primary intent of this portion of the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
175 1 analysis will be to eliminate or mitigate potential 2 attacks to pass the cybersecurity plan and defend the 3 cybersecurity architecture elements such as the use of 4 the data value that was discussed earlier today.
5 And then on the system level, the intent 6 of the analysis, to identify critical plant systems 7 along with adversary technical sequences that involve 8 detailed attack steps, to determine the active 9 cybersecurity plan and defensive cybersecurity 10 architecture protective measures including the 11 cybersecurity controls just like the one that Dan 12 mentioned, discussed this morning, to prevent or 13 mitigate the impact of such systems.
14 Yes?
15 MEMBER BROWN: You're finished with this 16 slide? Did you have something else to say? I 17 interrupted you, I apologize.
18 MR. GARCIA: That's perfectly fine.
19 MEMBER BROWN: Use active cybersecurity 20 plan and defensive computer security architecture ID 21 intrusive detection systems to protect against 22 cyberattacks. In other words, I'll take a reactor 23 protection system's software and I'll crank all kinds 24 of cybersecurity software in it so I can make sure 25 that it's not operating when it's asked to because NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
176 1 it's also evaluating and scanning the system.
2 MR. GARCIA: Thank you for that question.
3 The intent is not to --
4 MEMBER BROWN: That's not the intent, but 5 that's what it says. I'm going to incorporate -- I'm 6 going to put McAfee or whoever the other magic virus 7 protection systems are, and I'm going to install it 8 inside of my protection systems and safeguard systems.
9 MR. GARCIA: Yes, the intent is not to 10 affect or adversely affect the performance of the 11 safety system. I'm trying to clarify. The intent 12 here is to apply the same kind of controls we apply to 13 the other Reg Guide, 5.71.
14 MEMBER BROWN: That's not what that says 15 in your architecture.
16 MR. GARCIA: The intent is not to 17 adversely affect the performance --
18 MEMBER BROWN: Oh, I know -- I agree with 19 you. I understand the intent is not to do that, but 20 as soon as you open the door, that effectively --
21 you're going to be arguing about it every time an 22 application comes in. They're going to say ah, we're 23 going to throw all this other stuff in there and don't 24 worry about it. We don't need data diodes. We don't 25 need this, because we've got all this great intrusion NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
177 1 software that's going to figure everything out, and 2 now it's going to be a big fight in order to get the 3 darn system through NRC.
4 And if I'm on the committee, it will be a 5 big fight to -- I couldn't resist that.
6 MR. GARCIA: That's perfectly fine.
7 MEMBER BROWN: To get a committee to agree 8 to do that. And I'm not arguing that there's not some 9 things you would, what I would call the non-active 10 internal things you can put in to verify that data is 11 being transmitted accurately throughout the entire 12 process. There's start-up things you check to see, 13 hey, look, everything looks the same every time I boot 14 it up as it did the last time. But that's not the 15 same as what I call the active intrusive cybersecurity 16 stuff, like when you're sitting into your personal 17 computer at home, and all of a sudden something 18 doesn't happen for 34 seconds, and all of a sudden the 19 thing pops up because it was, oh, I completed a scan, 20 and now you're okay. That's -- I didn't get that out 21 of the Part 53 reviews.
22 Has this been included in any of the 23 detailed Part 53 reviews? I don't remember that. Am 24 I behind the part, Dave? Am I right?
25 MEMBER PETTI: Yes, I don't think it's at NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
178 1 that level of detail.
2 MR. GARCIA: Yes, because this portion is 3 getting into the guidance level.
4 MEMBER BROWN: I understand that. I just 5 didn't remember that we had addressed it on the Part 6 53 section by section details.
7 MEMBER PETTI: I think it's important 8 though that these concerns get reflected in guidance, 9 that in no way does this mean one should go against 10 the guidance on data diodes and somehow reflect what 11 the subset of options are, right?
12 MR. GARCIA: And at this point, yes --
13 thank you for those comments. Yes --
14 MEMBER BROWN: I was just going to say, 15 now we've got 5.71, but then you're going to say we're 16 going to have another Reg Guide now, 5.96 or some 17 other alphabets or numerical soup, to work to do 18 cybersecurity when -- why do I have to have a whole 19 new set of guidance on how to do cybersecurity for 20 operating plants -- for the new plants that I didn't 21 need to address on the existing plants? I'm having a 22 hard time walking my way through that shark-baited --
23 I'll have no feet by the time I get finished with this 24 walk.
25 MR. GARCIA: Thank you for the comments, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
179 1 so let me say for the purpose of the system, when we 2 get to the system level, the draft, it's still a draft 3 document, but the draft guidance has basically 4 leveraged information of Reg Guide 5.71.
5 MEMBER BROWN: They have what?
6 MR. GARCIA: Leveraged information of Reg 7 Guide 5.71, used the information of Reg Guide 5.71, in 8 terms of pointing to that document for the 9 cybersecurity controls that should be applied to your 10 control systems.
11 MEMBER BROWN: That means you've got to 12 have one document, and then you've got to have the 13 other document in order to complete your determination 14 --
15 CHAIR HALNON: Yes, but 5.96 would be 16 risk-informed, so --
17 MEMBER BROWN: Yeah, I understand, I just 18 love risk-informed cybersecurity.
19 CHAIR HALNON: Is this how your staff 20 meetings went?
21 MEMBER BROWN: Pardon? He worked for me 22 at one point.
23 CHAIR HALNON: No, I was wondering if this 24 --
25 MR. GARCIA: Kind of deja vu. So those NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
180 1 questions about taking all that information for Reg 2 Guide, the cybersecurity controls, and put them into 3 the enclosure, into this new Draft Reg Guide, but 4 again, this is still draft form, so that may an option 5 that could be explored down the road.
6 MEMBER BROWN: I just don't understand why 7 the guidance, the techniques, the guidance, the 8 defensive levels, all that stuff, in my own mind, is 9 technology-inclusive, it's risk-informed, and it's 10 performance-based. And I can apply it to any design 11 they come up with for an advanced reactor or non-12 advanced reactor. It makes no difference.
13 The 5.71, I reviewed it three times now, 14 maybe just two, a number of revisions, let's put it 15 that way, and it is very generalized such that it 16 doesn't restrict. It doesn't say applicants can't do 17 this or do that, so it's this own risk-informed --
18 whether I like risk-informed or not is irrelevant. It 19 has options for applicants to take various actions and 20 propose those for acceptability to the staff. It's 21 not dictatorial. Most of the stuff in there says we 22 can accept this type of thing. We can accept this.
23 This method is acceptable, so is this.
24 I just don't see the benefit of developing 25 a whole brand new Reg Guide, where it references back NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
181 1 to the other one, now I got to have two Reg Guides to 2 sit in front of me to determine whether I'm going to 3 be satisfactory when I go and make my presentation to 4 develop my process.
5 CHAIR HALNON: So I would just take that 6 comment --
7 MEMBER BROWN: I was on a roll.
8 CHAIR HALNON: Yes, I'm going to give you 9 square tires.
10 (Laughter.)
11 Dennis, on line, you're up.
12 MR. BLEY: Yes, Dennis Bley. Hi, Ismael.
13 I'm listening to Charlie, but I'm not quite with him.
14 I'm looking at your slide, which is only a slide.
15 It's a cartoon of what's going to be in the guidance, 16 but the first level up there, eliminate potential 17 adversary scenarios through facility design, is I 18 think the first time the staff's been really 19 responsive to an old SRM that says integrate safety 20 and security efforts through the design. I think 21 that's a big step.
22 The other things, you were down at the 23 system level, but at the functional level, it's got 24 the things I think Charlie's most focused on that are 25 still there. And finally, if this proceeds like NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
182 1 several of the other places we've seen guidance 2 developed for a new function, I think some of what 3 you're putting in here is new, and I suspect what must 4 be in the future is that being adapted back into what 5 we have for light water reactors in general. I don't 6 know if you want to comment on that or not, but that's 7 at least my reading of where you're headed.
8 MR. GARCIA: Yes, thank you, Dennis, for 9 those comments. I agree with you. Let me step back 10 to respond to some other remarks, Member Brown, that 11 like I said in the rulemaking package, we give the 12 option to the reactor licensees to either apply 13 existing framework or the new one.
14 MEMBER BROWN: Framework A and B.
15 MR. GARCIA: No. 73.54 requirements or 16 73.110. And the reason being that while we developed 17 73.110 is because, in the case of 73.54, as we 18 discussed earlier this morning and I briefly 19 summarized it at the beginning, that you pretty much 20 have the -- you need to protect safety and security 21 measures for various functions and all support 22 functions.
23 But looking at advanced reactors, there 24 might be cases that hey, they may not have the assets 25 for safety-related functions and they may rely on NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
183 1 panel devices for example, let's assume for a second.
2 So in those cases, they may have to then start 3 requesting exceptions in some portions of those 4 requirements in the system rule, and then that's not 5 perhaps an efficient way to be able to apply the 6 regulatory framework.
7 So that's why we developed this 73.110 set 8 of requirements to develop a framework that kind of 9 mimics what we have today in terms of cybersecurity or 10 other framework in the sense that when you look at the 11 entire spectrum of NRC licensees, you have -- you go 12 from research and test reactors, they don't have --
13 that case cybersecurity requirements apply to them.
14 We have guidance. We don't have requirements applied 15 to that. All the way up to nuclear power plants that 16 have, as we discussed, a fairly robust cybersecurity 17 framework.
18 So we're trying to develop this regulation 19 that kind of mimics the same approach that we have 20 today for cybersecurity requirements or cybersecurity 21 framework that we apply to NRC licensees.
22 So based on that framework that we're 23 trying to develop a guidance that captures some of the 24 concepts like the secure by design to try to promote 25 that kind of concept that then cybersecurity could be NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
184 1 applied early in the process versus late, but then at 2 the end when you get down to different levels of 3 analysis, it pretty much will be at the same kind of 4 level as we did today for power reactors and the 5 guidance in Reg Guide 5.71.
6 Yes, it will require, like Charlie 7 mentioned, having two documents available. That's the 8 kind of discussion we need to have going forward.
9 Does that really make sense if you're going to go down 10 that path of developing this new framework?
11 MEMBER BROWN: Just to counter, I might 12 disagree with Dennis, there's always room for 13 something new floating through, but when you look at 14 the -- eliminate potential adversary scenarios to 15 facility design, 5.71 lays out an architecture of 16 level 1, level 2, level 3, level 4 -- you design your 17 plant within those levels. You're doing the same 18 thing with 5.71, you don't need another document.
19 The mitigation of CDAs, you've got a whole 20 bunch of different paragraphs that discuss how to do 21 that, and what some data diodes are an acceptable way 22 of doing it. There may be other ways you can do that.
23 Your comment relative to well, the new 24 plant may decide to use analog circuits. Well, that's 25 no longer a CDA, so it doesn't matter whether or not NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
185 1 they pay attention to the other document or not.
2 All I'm trying to do is lay on the table 3 that you ought to give some thought to not proliferate 4 documents that people have to deal with as we go 5 forward with Part 53. That's the thought process.
6 The more paperwork, I mean right now, I've 7 looked at some old Reg Guides that we looked at, and 8 there were five different IEEE standards that you may 9 have to go through to pull out enough detail in 10 addition to the positions you have in the Reg Guide.
11 I mean it's a nightmare trying to figure out what do 12 you need and what do you don't need in your design.
13 Proliferation of documents you have to 14 review is just difficult. So I'll quit.
15 CHAIR HALNON: The question is as you're 16 drafting this document, are you seeing a delta, a huge 17 delta between 5.71 and your draft 5.96?
18 I mean if you get done with 5.96 and you 19 say well, that looks pretty much just like 5.71, then 20 you have to ask the question was Charlie -- is the 21 wisdom he's putting out there, really was it worth the 22 work, I guess, is a way of putting it.
23 MR. GARCIA: And we're looking into that, 24 because again, the document, the new Reg Guide 25 leverages that information but includes some of the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
186 1 concepts that -- I know that Charlie mentioned you 2 have the level 1, 2, 3, and 4 architecture. Well, 3 this one is getting in at a higher level, but at some 4 point can you look into the way that you define --
5 design your protection system, physical protection 6 system, because there might be some credit you can 7 take there to mitigate the potential consequences from 8 a cyberattack. It takes it to a higher level.
9 This is the kind of discussion, I agree, 10 it's the kind of discussion we need to continue having 11 going forward.
12 MEMBER BROWN: I cannot see anybody going 13 backwards from computer-based reactor protection 14 systems to analog protection systems.
15 MR. GARCIA: You would be surprised some 16 of the conversations we have at pre-application 17 meetings.
18 MEMBER BROWN: Has anybody come in who 19 wants to use an integrated circuit, operational 20 amplifier circuits?
21 MR. GARCIA: Not yet.
22 CHAIR HALNON: Okay, you guys are going 23 way back in the vault for this one. Let's move on.
24 MEMBER BROWN: I did the first 25 transistorized mag amp combination average. It was NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
187 1 for a cruiser.
2 CHAIR HALNON: And it's probably still 3 floating --
4 (Simultaneous speaking.)
5 MEMBER BROWN: No, they got turned into 6 razor blades years ago, 25 years ago.
7 CHAIR HALNON: You're almost --
8 MEMBER BROWN: Go ahead.
9 MR. GARCIA: Yeah, I was going to say --
10 yeah, thank you for those comments. So in terms of 11 the approach, is that you want to do an analysis up to 12 a level that you can show the adequate protection 13 against cyberattacks. So it could be analysis the 14 first year, the facility level to demonstrate adequate 15 protection against cyberattacks.
16 The analysis could involve two tiers, 17 meaning at the facility and the function level or to 18 build all three tiers. But again, the guidance is 19 based on doing the analysis up to a point. And you 20 can demonstrate adequate protection against 21 cyberattacks. Next slide, please.
22 So wrap it up, there's future work. Like 23 I said, it's a lot of work ahead of us, there are some 24 other, time for some other concerns, comments you 25 provided during this briefing. At this time, we NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
188 1 continue to support Part 53 rulemaking efforts, 2 including the cybersecurity portion not only in the 3 comments we get from the commission. But if the 4 rulemaking package is approved, then we'll address any 5 comments when the product review -- and also address 6 some of the technical issues that my colleagues in 7 research are going to be discussing during the next 8 presentation.
9 CHAIR HALNON: Do you have a target when 10 you're going to have that draft guidance document at 11 least to a point where it can be read internally?
12 MR. GARCIA: It is available in ADAMS. So 13 when you go to SECY 23-0021 in the cover letter --
14 MEMBER BROWN: You don't even have to do 15 that. Just go look at the slides. You can look at 16 it. I've already looked at --
17 (Audio interference.)
18 MR. GARCIA: And then it has the reference 19 number to the draft reg guide. So it's available.
20 It's just not publicly available but it's available.
21 Yes?
22 MEMBER MARCH-LEUBA: Does this work 23 combined with autonomous or a remote operation?
24 MR. GARCIA: Right now -- thank you for 25 the question. At this time, the reg guide is silent NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
189 1 in that area mainly because we got direction from 2 management that for the purpose of this version of the 3 rulemaking language, I was just focused -- we put that 4 issue aside. Nonetheless, we're doing work with the 5 college research to understand what is out there in 6 terms of the technology, operation and remote 7 operations, so we can think about, okay, what kind of 8 cybersecurity controls would be needed for perhaps the 9 licensee that decides to use that kind of technology.
10 MEMBER MARCH-LEUBA: Remote operation is 11 diametrically opposed to what we say this morning 12 about the philosophy of cybersecurity, an autonomous 13 (audio interference). So if you are going to create 14 something new, you should at least invest it, right?
15 MR. GARCIA: Yeah, and then so we're doing 16 the research to see what kind of -- like, I guess, in 17 terms of operation, do we need to impose any 18 additional controls? We'll be back to delta, a 19 question about the delta between this reg guide and 20 the previous one will address that in the document.
21 CHAIR HALNON: Any other questions? Okay.
22 Let's move on. Anya, are you up?
23 MS. KIM: Actually -- excuse me.
24 Actually, Brian is going to do his introduction first.
25 MR. YIP: I can get started while the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
190 1 slides are getting up. So our engagement with the 2 Office of Research is really important to our ability 3 to execute the cybersecurity mission. And we're 4 engaging with research, all levels on cybersecurity, 5 at the staff level.
6 Frequently, my counterpart, Chris Cook, 7 and I talk at least on a weekly basis. We're briefing 8 our management on cybersecurity research on a monthly 9 basis. And so what you're going to see in this next 10 briefing is the activities the Office of Research is 11 doing to support the cybersecurity mission.
12 And as we're looking towards advanced 13 reactor reviews and also novel technology 14 applications. And when I say novel technology, I'm 15 referring both to new technologies as well as 16 applications of existing technologies in new and 17 different ways even with the operating fleet. So with 18 that, I'll turn it over to Anya and Doug. Thanks.
19 MS. KIM: Thank you. My name is Anya Kim.
20 Can you hear me? And can we move to the -- Tammy, can 21 we move -- actually, all of this should be Brian. You 22 should be presenting or I can present.
23 MR. YIP: Anya, why don't you go ahead and 24 present if you have the notes.
25 MS. KIM: Okay. So just to give you a NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
191 1 brief description of what we plan to talk about, we'll 2 give you a brief introduction and let you know what 3 our research goals and drivers are for doing this 4 various research. And we have a research approach 5 that we generally take for our research topics. And 6 we will give you a brief overview of four 7 representative research topics on our novel 8 technologies project umbrella and then a quick wrap-9 up.
10 So I think Brian mentioned this already.
11 But I will just briefly summarize. The research 12 department -- research branch cyber security research 13 supports the current and future NSIR activities and 14 the novel technologies that we look at. And I think 15 Dan mentioned this earlier.
16 They're not necessarily novel to everybody 17 but novel to nuclear. But novel technologies are 18 applicable to both operating and advanced reactors.
19 So anything we learn from examining them for operating 20 reactors, we could apply to advanced reactors and 21 small modular reactors.
22 So we are looking at these technologies to 23 be ready for the future and to help staff to support 24 them in any way we can. And next slide. So the goals 25 of our research as I briefly mentioned is to perform NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
192 1 anticipatory research to anticipate the needs and 2 prepare NRC staff to meet the potential challenges 3 that they would face within the nuclear domain. And 4 so the main goals would be to educate NRC staff and 5 identify potential cybersecurity implications of using 6 these technologies and develop awareness of and 7 collaboration with any government or nuclear industry 8 partners that could exist.
9 Okay. So there are drivers for doing this 10 research is that licensees are considering using these 11 new technologies or novel technology implements in 12 current or future applications. In that case, there's 13 likely to be a change in the attack vectors. And we 14 want to be able to understand what the associated 15 cybersecurity issues would be and how to address that.
16 Excuse me.
17 And from there stems a need to develop a 18 technical basis for licensing guidance and oversight 19 of these new technologies. And even for inspection 20 tools to help NRC staff in their work as they review 21 these new technology applications. The four 22 technologies we will be looking at today are field 23 programmable gate arrays, autonomous control systems, 24 artificial intelligence and machine learning, and 25 wireless technologies.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
193 1 So for field programmable gate arrays, I 2 will be presenting this in the autonomous control 3 systems. And Dr. Eskins, my colleague, will be 4 presenting the AI artificial intelligence and wireless 5 security. For each topic, in general, we will present 6 a brief background of the technology and the reason 7 we're doing the research, the motivation behind it and 8 any insights we've gained from the research.
9 First, let's talk about FPGAs. I spelled 10 out the acronym there because it helps understand what 11 FPGAs are. They are devices in which the application 12 logic is implemented in hardware circuits. So there 13 is no software and they can be configured to perform 14 a user defined custom function.
15 And as their name suggests, they can be 16 programmed and reprogrammed in the field. However, 17 that's not as easy as you think. It's not like the 18 software updates that get pushed to our computers and 19 our phones. It requires access to the FPGA device as 20 well as a constant power supply. So FPGAs in the 21 operating nuclear fleets have been --
22 MEMBER BROWN: Can I ask you a question on 23 that?
24 MS. KIM: Yes, sure.
25 MEMBER BROWN: There's two types of FPGAs.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
194 1 There are volatile and non-volatile.
2 MS. KIM: Yes.
3 MEMBER BROWN: The non-volatile are the 4 ones you just talked about in one way, shape, or form.
5 The volatile ones lose their programming. So you have 6 to have rem somewhere when power comes back, you 7 reprogram it on the spot. That's internal to the 8 system.
9 Now the way I view those is that the rem 10 that you got, the memory that you got that's going to 11 reprogram it has to be done over and over again every 12 time you lose power. That would be possibly to access 13 by some cyber operation because that more than likely 14 is e-squared or something that's electrically erasable 15 and then you can redo it or whatever the latest 16 version of those suckers are. So you really got to 17 address those into formats. The FPGAs themselves when 18 they're sitting there, you're right. You have to take 19 -- either take the chip out or you have to be able to 20 isolate and then go reprogram it which is a fairly 21 complex operation to reprogram.
22 MS. KIM: Right. And that's why I did say 23 they can be reprogrammed. And I do want to step back 24 and say actually so when we talk about FPGAs, we have 25 to think about them in terms of are they volatile? Or NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
195 1 are they re-programmable? And the non-volatility is 2 basically -- so what they've called the configuration 3 logic is -- or bit stream is if it's volatile, when 4 it's powered off, it gets erased.
5 So that's why you have to constantly 6 reload. But that's different than reprogramming.
7 It's the same thing that you're taking from an EPROM 8 onto the FPGA. And yes, there is a cybersecurity 9 concern there because when you're loading it from the 10 EPROM to the FPGA, there's a connection where you can 11 obviously steal it or try to manipulate it.
12 MEMBER BROWN: We'll you could've already 13 had manipulated the --
14 (Simultaneous speaking.)
15 MS. KIM: And that's --
16 MEMBER BROWN: -- EPROM.
17 MS. KIM: Yes, and I'll get into that 18 right now. I was just going to give you a background.
19 But yes --
20 MEMBER BROWN: Sorry to interrupt.
21 MS. KIM: No, no, I prefer that. Yes, so 22 in that case, some countermeasures are that nowadays 23 the volatile FPGAs do offer encryption. You can 24 encrypt the bit stream.
25 So even if you intercept it, you can't NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
196 1 read it. And then the re-programmable part is the one 2 where if you want to change the design or the 3 configuration, that's where you can reprogram it as 4 many times as you want. And some FPGAs, you can 5 reprogram it multiple times. And then one type of 6 FPGA, it's only one time.
7 MEMBER BROWN: That's not unlike some of 8 the early EPROMs that you had a limited number of 9 times you could reprogram it until they --
10 (Simultaneous speaking.)
11 MS. KIM: Exactly.
12 MEMBER MARCH-LEUBA: Yeah, you've got to 13 be a little careful. You're thinking what's similar 14 to what it had to do with what's called secured good.
15 Before you load up the present system --
16 MS. KIM: Secured, yes.
17 MEMBER MARCH-LEUBA: -- you're loading the 18 proper one. We do that every single time we turn 19 power on, on a computer.
20 MS. KIM: Right.
21 MEMBER MARCH-LEUBA: It's pretty good.
22 But our guys are finding ways to mess with it.
23 MS. KIM: Exactly.
24 MEMBER MARCH-LEUBA: I mean, there is a 25 patch for the WiFi (audio interference). They inject NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
197 1 the virus before secure boot. So you cannot discard 2 it.
3 MS. KIM: No, you cannot.
4 MEMBER MARCH-LEUBA: You have to keep an 5 open mind when you're doing this attack vectors.
6 MS. KIM: And this is a great conversation 7 we're having because this is all the stuff that as --
8 when it's our job to review these FPGA-related --
9 sorry, FPGA-based systems, we need to know all this 10 stuff because some chips offer it, some don't. And 11 then some have ways you can intersect it. Some are 12 more vulnerable to this secure boot attack than 13 others.
14 So having that knowledge helps us 15 determine what the security posture is. And that's 16 what research is doing. We're trying to compile --
17 (Simultaneous speaking.)
18 MEMBER MARCH-LEUBA: And that is your job 19 to understand it so you can tell these guys --
20 MS. KIM: Yes.
21 MEMBER MARCH-LEUBA: -- what they have to 22 worry about.
23 (Simultaneous speaking.)
24 MEMBER MARCH-LEUBA: The other thing I 25 wanted to point out maybe in the next slide but I can NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
198 1 do it now since I have the microphone is the easiest 2 attack -- cyberattack you can have is a denial of 3 Service. And we talk about that certainly for 4 autonomous and remote operation. It's so easy that 5 you can fire up your browser and go buy one.
6 I mean, you can buy a couple hundred 7 bucks. It gives you denial of Service for five 8 minutes. And then you pay by the hour. It's kind of 9 interesting.
10 So denial of Service means is there 11 anything I can do to make my FPGA not work? Can I 12 have a some notice? Can I have some change in 13 temperature?
14 So how can I deny the FPGA from performing 15 its work? That would be my vector for attacking you.
16 And you're the researcher, guys. You need to think 17 about this, not me.
18 MS. KIM: The threat. And if we can move 19 to the next slide, we can talk about it on this slide.
20 So the purpose of this research is to identify those 21 potential security concerns with FPGAs for future 22 nuclear applications.
23 And basically, we're investigating whether 24 FPGAs are inherently cyber secure since there is no 25 executable software on it or whether or not they are NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
199 1 vulnerable to these internet cyberattacks. And our 2 research right now is ongoing, but our preliminary 3 findings show us that it's not that the attack surface 4 has disappeared. It's more than it's shifted.
5 So while there is no software on the FPGA 6 device, there are many software-based design tools 7 involved in the entre process of manufacturing 8 development and design of this FPGA device. And in 9 that process, there are sever attack points in which 10 malware could enter. Basically, it's a supply chain 11 concern.
12 I think earlier in the morning, how does 13 acceptance testing test against malware? That was 14 asked. And that's one of the concerns, one of the big 15 things about FPGA is what they call hardware trojans 16 which is basically malware in the FPGA. How do you 17 test for that?
18 And that's the kind of things we're 19 researching right now. So what are the main concerns 20 on how to protect against them? And if they do occur, 21 how do you defend them?
22 And so while most of these attacks do 23 require physical proximity or access to the FPGA, some 24 of them can be done remotely or through the supply 25 chain which is one of the bigger concerns. So the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
200 1 findings and insights that we're developing, we want 2 to capture in a way that provides NRC staff with the 3 knowledge they need when they're reviewing these FPGA-4 related materials that are submitted by the licensees 5 and applicants. And what we learn here will be 6 applicable to future architectures or future nuclear 7 power plant applications.
8 Okay. So moving on to autonomous controls 9 and remote monitoring. So while remote monitoring and 10 operations was actually a separate topic under our 11 novel technologies research umbrella, as you'll see 12 later, it's very closely related to autonomous control 13 technologies. So I sort of piggybacked it here on the 14 title.
15 So with autonomous control systems, they 16 can replace the human operators to the degree that 17 there's a human out of the loop. And it can range 18 from basically totally manual operations where the 19 human has to be involved and makes all the decisions 20 all the way to a fully autonomous system where the 21 autonomous control system acts and thinks 22 intelligently and independently with a human not in 23 the loop. Yes?
24 MEMBER BROWN: Pardon the interruption.
25 Take after Jose here. In a way or if you want to look NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
201 1 at that, the reactor protection systems you build are 2 already autonomous. They don't require human action 3 at all.
4 You've got sensors. They process. They 5 determine whether you exceed a particular range of 6 operation that's acceptable. And they scram or don't 7 scram. They are autonomous already. This is not new.
8 MS. KIM: Mm-hmm.
9 MEMBER BROWN: That's all I'm saying. But 10 there are no operator actions other than the backups 11 you may have in case the system fails for whatever 12 reason. I just wanted to make sure we understood that 13 our existing systems, the critical safety systems we 14 have in existing reactors today are basically -- not 15 even just basically, fully autonomous.
16 They require no operator to do anything.
17 He'll be reading meters, and he'll see the plan shuts 18 down. So that's the first thing he sees that is the 19 end result of the whole thing.
20 You don't need sophisticated equipment to 21 do that. We did it with mag amps and vacuum tubes.
22 You probably might not know what a vacuum tube is, but 23 that's okay.
24 MS. KIM: I'm not that young.
25 MEMBER BROWN: You look way to young.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
202 1 Anyway, I'm just saying we've got to be a little bit 2 careful we don't really -- the world of autonomous has 3 been with us for quite a while, forever almost. So --
4 MEMBER MARCH-LEUBA: But that's for the 5 simple functions.
6 MEMBER BROWN: I'm not arguing about that.
7 (Simultaneous speaking.)
8 MEMBER MARCH-LEUBA: What autonomous they 9 mean, they have complete control of the emergency 10 operating procedure. They shut down on recovery and 11 everything else the operator does after the control 12 rods.
13 MEMBER BROWN: That's a second layer of 14 autonomous operation.
15 MEMBER MARCH-LEUBA: That's what they --
16 MEMBER BROWN: We already have simplified 17 autonomous operation.
18 MS. KIM: Well, I would slightly disagree.
19 I was sort of getting there, but we have a full range 20 of autonomous operations. And what you were talking 21 about I would say would be more, like, automated 22 systems. So yes, they don't need --
23 (Simultaneous speaking.)
24 MEMBER BROWN: But those are autonomous.
25 MS. KIM: Autonomous in my view and in the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
203 1 general research seems to have to have intelligence.
2 So I sort of underlined the important keywords in the 3 definition I used in the slide. So it has to be able 4 to think independently which it does.
5 MEMBER BROWN: That's what it does.
6 MS. KIM: Under uncertainties.
7 MEMBER BROWN: Does that also.
8 MS. KIM: And has to learn -- well, I 9 didn't write it down. But it has to compensate and 10 learn from failures all without human intervention in 11 a very dynamic environment. So it has to have some 12 concept of intelligence and independents in there to 13 be a fully autonomous system.
14 (Simultaneous speaking.)
15 MEMBER KIRCHNER: This is Walt Kirchner.
16 I had to deal with this, a whole issue 40 years ago.
17 We were designing a reactor to be remotely operated, 18 the north warning system.
19 And so Charlie, what I would say is yes, 20 what we were designing was essentially on and off, 21 much like a reactor protection system. You've got 22 either you lose power or you lose your signal or you 23 reached your safety limit set points and you trip.
24 And then it shuts down.
25 And if it's an advanced -- well designed, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
204 1 advanced reactor, it passively remains shut down and 2 cools itself and all those other nice features that 3 you would like to see. But you really didn't have 4 control. So I think Anya is making that kind of 5 distinction that it actually can perform.
6 It's not on-off. It's the ability to 7 actually operate and meet the mission requirements 8 whereas what we thought was, well, we lose that comm 9 link, then we're just going to shut down the reactor 10 and the redundancy was the next radar site filling the 11 gap in the defensive line. But it was on-off 12 essentially.
13 It wasn't rally performing its functions 14 as designed to meet the mission requirement. It was 15 just safety. So that's a distinction I would make.
16 And yes, the protective system does function as you 17 indicated.
18 CHAIR HALNON: But I don't that we're 19 talking something that's smarter than bistable 20 controlled --
21 MEMBER BROWN: Well, they are.
22 CHAIR HALNON: -- instrumentation.
23 MEMBER BROWN: No question.
24 CHAIR HALNON: Oh, no. It's only because 25 you got a whole bunch of them. And it votes NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
205 1 bistables. It's just all bistables basically, measure 2 bistable.
3 If you look at the second bullet there, 4 capabilities that diagnosis, prognosis, planning, 5 decision making, those are pre-programmed into the 6 bistables. We're talking about uncertainty, uncertain 7 condition and figure it out and then take an action.
8 It may not be pre-planned.
9 MEMBER MARCH-LEUBA: Yeah, being able to 10 look at the senor signal and say, hmm, it doesn't look 11 right.
12 MS. KIM: Yes.
13 MEMBER BROWN: Why you build in a 14 redundancy and independence. I mean, there's a number 15 of different ways to slay this dragon.
16 MEMBER MARCH-LEUBA: That's why we, like, 17 operate. That's what operate does because I don't 18 have to --
19 (Simultaneous speaking.)
20 MEMBER BROWN: I was going to echo your 21 words exactly. I like operators as well.
22 CHAIR HALNON: That set you up, Doug, 23 really well, doesn't it?
24 MR. BLEY: Anya, this is --
25 (Simultaneous speaking.)
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
206 1 MEMBER BROWN: Yeah, let me finish here 2 just a minute, Dennis, if you don't mind. What you've 3 got to factor into this if you're going to convince us 4 or me if I'm still around is every time you go 5 autonomous, you have to do exactly what Jose said.
6 You have to have built-in sensing, testing systems 7 that are saying, hey, this is drifting outside of the 8 range of what I think it is. Therefore, that needs to 9 be compensated.
10 There are multiple ways of doing that and 11 this might be the best which means more senors to say 12 is that available. There's a whole plethora of 13 complexity that falls into this that really has to be 14 addressed analytically to see if that's useful or not 15 or if introduce complexities which we can't even 16 analyze where we have to do a PRA to figure out of the 17 2,000 sensors we have are going to give us the data 18 and we have the algorithms that are going to do is 19 because it's all for even throwing in the machine 20 learning the AI thought process. You need data to do 21 that. A human being, eyeballs, ears really processes 22 huge amounts of data in just milliseconds when you're 23 doing things. We just need to be thoughtful.
24 MEMBER MARCH-LEUBA: Let me give you an 25 example. Before talking in the microphone, I have to NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
207 1 look and see that this green light is green. So it's 2 not green, and computer gets lost.
3 It's not green, I cannot talk. An 4 operator looks at it and says, oh, the lightbulb is 5 fused. It's in an analyzed condition. It's different 6 to do. It's not trivial.
7 MS. KIM: Right. And I'm going to jump 8 ahead a little bit and --
9 CHAIR HALNON: Dennis --
10 MS. KIM: Oh, yes.
11 CHAIR HALNON: -- Dennis Bley had a 12 question. Go ahead, Dennis.
13 MR. BLEY: Anya, thanks. I was waiting 14 for the AI presentation. But this conversation got 15 kind of deeply into it. If NRC is going to approve 16 artificial intelligence based systems with the machine 17 learning, there's all different sorts.
18 But one characteristic of them all because 19 they do learn is that there's no way to do what we do 20 with computer programs now and that's verify them 21 because they're changing themselves all the time. The 22 only thing I can think of if you're going to do that, 23 you have to somehow test the systems, quote, knowledge 24 and reasoning capability, sort of the way we test 25 humans. Have you guys thought about how in the world NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
208 1 you're going to address that issue?
2 CHAIR HALNON: Let's first bring us back 3 to this is a cybersecurity discussion, not an 4 autonomous control/AI development.
5 MR. BLEY: I missed that in the last few 6 minutes.
7 MEMBER BROWN: The next couple of slides.
8 CHAIR HALNON: Yeah. Well, we got to 9 remember these fine folks in front of us are talking 10 about how we maintain cybersecurity protection over 11 these systems, not necessary how they got the systems.
12 They're being handed -- good questions. I think it's 13 just outside of the scope of this subcommittee. Go 14 ahead, Anya.
15 MS. KIM: So yes, I agree with what both 16 of you said. And capabilities were already mentioned.
17 And I just wanted to say I'm probably jumping ahead.
18 But since you talked about autonomous 19 country with the different aspects. So there's two 20 aspects you have to consider with autonomous control 21 systems. There's the level of autonomy which is sort 22 of what were you getting at earlier.
23 And also what is being automated, so the 24 process? If anybody here has a military background, 25 you might be familiar with the OODA loop, observe, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
209 1 orient, decide, and act. It's a way to figure out 2 what the situation around you is and figure out what 3 to do, decision making process. It was developed by, 4 like, a Colonel John Boyd or somebody like that.
5 And while autonomous control systems call 6 it something else. Basically what you have are those 7 four phases. You have the observe where you gather 8 the data.
9 Okay. The light of this microphone is 10 off. And then orient, okay, what should I do about 11 it? I'm talking. And decide, okay, I better turn it 12 on. And then act and actually press the button to 13 turn it on, right?
14 So of those four different distinct 15 segments, autonomous controls could be applied in all 16 four of those and to different levels. They could be 17 fully autonomous. It could be something with user 18 feedback. It could be minimal autonomy.
19 So that whole aspect has to be considered 20 when we're talking about the autonomous control 21 systems. So even though Member Brown sort of said 22 that we already have autonomous systems, I want to say 23 that autonomous systems with varying levels of 24 autonomy have been employed in other industries like 25 robotics, avionics, space craft, transportation, but NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
210 1 not in operating nuclear power plants. However, 2 recently the nuclear industry has been looking at it 3 as a way to lower their operational and maintenance 4 costs, particularly for advanced reactors and small 5 modular reactors.
6 So we are performing this research to 7 better understand what if any cybersecurity concerns 8 there would be with using autonomous control systems 9 in nuclear power plants. And in order to do that, 10 there are a lot of enabling technologies that are 11 needed to provide the capabilities that we saw in the 12 previous slide. And these enabling technologies can 13 shift during large attack surface, thereby creating 14 these new security challenges.
15 And these are -- oh, I picked a few of 16 them -- remote monitoring and operations, digital 17 twins, artificial intelligence and machine learning.
18 So with remote monitoring, you would probably use that 19 to monitor the safety and security functions and send 20 commands maybe if you're talking about remote 21 operating as well. Remote operations would also send 22 commands to the autonomous control system.
23 And then if you have remote monitoring, 24 what would be the connection pathway between the 25 remote monitoring site and the site where the nuclear NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
211 1 power plant is. Wireless is probably something they 2 want. So there's another security concern we have.
3 And you probably are already aware, but 4 remote monitoring really isn't as big a concern as 5 remote operations, being able to do operations 6 remotely is a cybersecurity challenge that the nuclear 7 community has to consider. And then digital twins, 8 digital twin technologies are -- it's a virtual 9 representation of the physical system where the data 10 and information being shared between the two systems 11 and to maintain state concurrence. These technologies 12 could be used to monitor the performance, predict 13 plant performance, evaluate potential scenarios before 14 they make -- before the autonomous control system 15 makes a decision.
16 So there are some security considerations 17 in there like securing that communication link between 18 the virtual representation and the physical system.
19 And also the -- because of the bidirectional nature of 20 the digital twin technologies, if you are able to 21 insert malicious code on side, it can propagate to the 22 other side. And how do you protect the data that goes 23 back and forth?
24 Because the data protection strategy is an 25 important part of maintaining stay concurrent.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
212 1 Another technology that needs to be looked at for 2 enabling autonomous control systems or artificial 3 intelligence and machine learning which would be used 4 in that whole OODA loop I was talking about, the 5 predicting, perception planning, the decision making 6 and actually applying of controls. And in this case, 7 my colleague, Dr. Eskins, will get into it.
8 So I will not go too deeply into it. But 9 you've got explainability. Why did this AI box make 10 this decision? Some AI algorithms are so complicated, 11 it's very hard to understand why with this input, that 12 output came out. And then also there are a bunch of 13 subversion attacks that we need to be able to 14 consider.
15 So any new technologies used to remotely 16 monitor or autonomously control these facilities have 17 to be thoroughly understood. And this also is a work 18 in progress. So we're working to support NRC staff by 19 developing this necessary knowledge and how to go 20 about securing it and developing a technical basis for 21 it as well as identifying potential research gaps in 22 these areas. And then just let me hand this off.
23 MEMBER MARCH-LEUBA: And we wait. Okay.
24 So I've been telling you for the last 20 minutes 25 denial of Service because it's the easiest way to NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
213 1 attack one of these things.
2 MS. KIM: Right.
3 MEMBER MARCH-LEUBA: But there others 4 which I don't know. So the only word I'm going to 5 leave you with is completeness, one of my favorite 6 words. Have you analyzed your system?
7 You're completely sure that you attach 8 everything that can happen to is before you leave it 9 and make it charge of your facility? And you're only 10 working with cybersecurity. Other people have to work 11 with the completeness of other functions.
12 But you look at it for the point of view 13 of breaking the VPN or somebody to get this other key.
14 But how do you know you got everything? Completeness, 15 it's an impossible problem.
16 MS. KIM: It's -- I was going to say you 17 can do the best you can.
18 MEMBER MARCH-LEUBA: And then I rather you 19 put that best you can reactor in front of your heart, 20 not next to mine. So you have to convince the public 21 that the risk they're running is infinitesimally 22 compared to the benefit.
23 MEMBER BROWN: May be better after he 24 finishes his AI stuff. I'll wait.
25 CHAIR HALNON: Okay. One last thing for NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
214 1 me. It goes along with what Jose is saying about 2 denial of Service. You mentioned remote monitoring is 3 not as big a concern.
4 However, if -- I can understand how you 5 could not -- if decisions are being made off site, you 6 know it's not autonomous operation where it's a remote 7 operation. But if decisions are being made offsite, 8 whether it be short term or long term monitoring 9 relative to trending and whatnot. Or you cut the 10 ability to remote monitor is concerning.
11 So I mean, it wouldn't just be -- it's not 12 really that important. It's very important, 13 especially if decisions are made offsite. Remote 14 operations is obvious.
15 Adulterate the operations communication 16 line somehow, that's important. I wouldn't discount 17 remote monitoring as being less important. It could 18 be just as important.
19 MS. KIM: Yeah, I did not mean to discount 20 it. I was just trying to compare it a little bit.
21 CHAIR HALNON: Yeah, I understand there's 22 a --
23 MS. KIM: Yes, but there is a --
24 CHAIR HALNON: -- degree of urgency. I 25 understand. Any other questions? Charlie, are you NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
215 1 kidding me?
2 MEMBER BROWN: No, this is for her, 3 though. One of the things to think about, I've got 4 this plant remote autonomous. You've got to have 5 remote monitoring. You have to know what's going on 6 somewhere.
7 And the controls are being done locally 8 because it's smart enough to do things. But it's your 9 cyber security dilution. I want to echo his 10 monitoring is critical because the hacker could hack 11 -- make the plant look like it's just running smooth 12 as silk, and it now has injected also control signals 13 to make it not run smooth as silk.
14 So it's now going to turn into liquid 15 uranium and he'll never know it because there's nobody 16 on the site. There's nobody in the plant. There's 17 nobody in the operations room. It's a dual problem 18 that you have to deal with.
19 Once somebody gets in, they can go one 20 way. They can go the other way. And you'll never 21 know it. You will never know it until you got a pile 22 of mush sitting out there in the desert or next door 23 to some small community.
24 MS. KIM: I agree. And that's why I said 25 in the --
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
216 1 (Simultaneous speaking.)
2 MEMBER BROWN: I had one other point. My 3 point being with all that, I think it's incumbent upon 4 you all, okay, it can't be us, to say no. There's 5 going to be a big push to go do all this.
6 MEMBER MARCH-LEUBA: Maybe not incumbent, 7 but it is possible. Don't consider just because a 8 licensee or an applicant sends it to you. You have to 9 say yes which is something that here in this building 10 is almost true.
11 MS. KIM: I'm in research. They would 12 never send it to me. So I would never have to say no.
13 MEMBER BROWN: But you are one of the 14 authoritative voices because you all have done the 15 underlying reviews and thought processes about what 16 are the underlying problems that may not be 17 communicated.
18 CHAIR HALNON: I'm fairly sure that no 19 answer would be a community discussion. The federal 20 office is not just --
21 (Simultaneous speaking.)
22 MEMBER BROWN: Somebody has got to raise 23 their hand.
24 CHAIR HALNON: And identify all the 25 vulnerabilities and potential consequences. It's too NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
217 1 expensive. I mean, anything can be protected probably 2 if spend enough money on it. But that's going to be 3 a decision down the road.
4 (Simultaneous speaking.)
5 MEMBER REMPE: Sometimes in our meetings, 6 we start off with comments, our meetings by individual 7 members should be considered comments by individual 8 members. And I think I don't recall hearing that at 9 the beginning of the meeting today. And I think it's 10 incumbent upon me to mention that. So go ahead, Jose.
11 MEMBER MARCH-LEUBA: I wanted to place on 12 the record a comment by an individual member. You can 13 beyond a shadow of a doubt that an autonomous control 14 system operates safer, better than an operate. I 15 mean, you can run it and you can guarantee that it's 16 100 times better than operate.
17 Unfortunately, I think that it's hard to 18 prove is that autonomous system when they fail, the 19 fail catastrophically. Those operators always fail 20 nicely. I was reading this week I think of this Tesla 21 in automatic driving mode that saw a pedestrian trying 22 to cross the street and instead of stopping, he 23 accelerate because I've learned that when you 24 accelerate, the pedestrians, they jump out.
25 I was reading this. So when they fail, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
218 1 they fail badly. So that goes back to the 2 completeness issue. Don't accelerate against the 3 pedestrians. That's what you need.
4 CHAIR HALNON: I think Tesla was just 5 observing human behavior. Dr. Eskins, why don't you 6 go on with your presentation.
7 MR. ESKINS: Thank you very much. Thank 8 you, Anya. I am Doug Eskins. I am Dr. Kim's 9 colleague over in the cybersecurity research team.
10 And I'm going to briefly be discussing our projects in 11 artificial intelligence and wireless technologies.
12 So beginning with artificial intelligence 13 or AI, as we've kind of mentioned previously today, AI 14 spans a broad variety of technologies from what's 15 called limited AI which is very task specific and 16 reactive all the way to what's called general AI which 17 is much more independent and even theoretically one 18 day could be self aware. A good general definition I 19 use for AI, though, is just technology that can 20 emulate human-like thinking, sometimes even super 21 human-like thinking. Now as far as what we focus on 22 in our research, we're looking at a subset of 23 artificial intelligence known as machine learning or 24 ML.
25 And this is a type of limited AI. It is NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
219 1 characterized by the ability to learn without explicit 2 programming or even domain knowledge. And as you see 3 in the news, there are constantly seemingly everyday 4 new applications of machine learning. It is a very 5 attractive technology.
6 Certainly industry, in the nuclear 7 industry are starting to see the attractiveness to 8 this. And there are several reasons. One has to do 9 with its advantages for building models or 10 representations. It can build models that can be 11 built faster and cheaper.
12 These same models can be computationally 13 more powerful and efficient than the kind of, say, 14 physics-based models we have today. They can also 15 represent new domains and more broad and integrated 16 domains than our current types of models. Another 17 very attractive feature is that machine learning 18 models can be built without explicit domain knowledge.
19 So just collecting data, not necessarily 20 knowing anything about the underlying system you're 21 building, you can still build a machine learning 22 model. So based on these attractive features, we 23 think the industry and the nuclear industry will in 24 the future expand its use of machine learning models 25 in various capacities. Oh, not quite. Could you go NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
220 1 back? Thanks, Tammy.
2 Now of course of the flip side of this, 3 there are disadvantages to machine learning models.
4 And one of them is that these models can be black box.
5 That is the users and even the builders may not have 6 detailed knowledge of internal structures and 7 relationships which as we mentioned before makes them 8 sometimes difficult to explain and also difficult to 9 validate, verify, and quantify associated 10 uncertainties.
11 Another issue with machine learning models 12 is that because they are so highly dependent on the 13 data used to build them and the training process with 14 that data that the results can be non-deterministic.
15 And if the data used to train the model is not 16 complete, the model that is created may not fully 17 represent all possible system states. They won't be 18 complete.
19 MR. BLEY: Doug?
20 MR. ESKINS: Yes.
21 MR. BLEY: Dennis Bley. Two related 22 things. Up there in the black box, you kind of hit on 23 what I was talking about earlier. But given that, and 24 maybe you're going to talk about this and that would 25 be great.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
221 1 One is how in the world can you even 2 identify that such a system has been attacked. And 3 that's the main thing. Since you don't know what's 4 going on inside, you just see what it's doing on the 5 outside. How do you have any idea if it's been the 6 victim of a cyberattack? And if it has been, what can 7 you do about it?
8 MR. ESKINS: Right. That's definitely an 9 issue with this technology. You cannot look inside 10 and validate the state of the model in many cases. So 11 if there are changes that have been made to it due to 12 a cyberattack, it would be difficult to detect that.
13 I think that's a subject of ongoing 14 research for the people who intend to use these type 15 of models certainly for applications where those type 16 of state changes would be detrimental to some sort of 17 safety-related process or so on. It's definitely --
18 I agree. That's a problem. And that's a subject of 19 ongoing research.
20 (Simultaneous speaking.)
21 MR. BLEY: You're looking at that. And do 22 you have -- has your research taken you to the point 23 that you have some ideas of how people could attack 24 such a system?
25 MR. ESKINS: I would say that our research NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
222 1 at the NRC is still in its infancy. From looking at 2 the literature, there are some discussions about how 3 these type of models can be attacked. For example, if 4 you can corrupt the training data, then you can 5 corrupt the resulting model.
6 I think there are several examples. For 7 example, with image recognition where small changes in 8 the image can result in classification errors like --
9 so you mis-classify an animal or maybe a stop sign as 10 a speed limit sign and so on because you really --
11 it's maybe not impossible. Certainly with what we 12 know now, it is often difficult to understand how the 13 model is coming to the conclusion --
14 (Simultaneous speaking.)
15 MR. BLEY: Okay. It'll be interesting to 16 see how this goes in the future. I guess the only 17 thing I was thinking, I guess you could feed it a 18 bogus set that would teach it to develop wrong 19 conclusions. But I don't know if anybody has been 20 able to do that.
21 MR. ESKINS: Yes, I think that has been 22 done. And there is also work, I believe, on using a 23 different machine learning model to kind of detect 24 corruption of the first model. But yeah, it's 25 ongoing. And if you have any comments.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
223 1 MEMBER MARCH-LEUBA: Let me be completely 2 out of character here. As much as you can tell, I was 3 not against but cynical of Anya's topic. I like your 4 topic, Doug.
5 I think AI has future. And you just have 6 to be limited to what it can do. You have to 7 understand what it can do. If it's really, really 8 good, I'm telling you, hey, this battery is not what 9 I learned.
10 Your reactor typically behaves this way, 11 and this is parting from it. I don't know what was 12 doing it, but it's not what it's been doing before 13 which is what we do when we're in the car and suddenly 14 start hearing, nick, nick, nick, nick, nick. You say, 15 well something is wrong. It's probably a belt.
16 But I don't know if it's a belt or not.
17 But certainly it's not my car. So that is very good, 18 and it has possibilities.
19 MR. ESKINS: I agree. And when we talk 20 about the actual project, we'll briefly cover that 21 kind of potential for classification.
22 MEMBER MARCH-LEUBA: But it doesn't need 23 to classify as long as it detects departure from 24 normal.
25 MR. ESKINS: Which I guess if you look at NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
224 1 it, that's a kind of classification. But it's very 2 broad. This is normal and this is abnormal.
3 MEMBER MARCH-LEUBA: The word of the year 4 is going to be hallucination because that's what 5 happens when you try to do too much with AI. You 6 start hallucinating. But as long as you keep is 7 simple, it has possibilities. That's enough.
8 CHAIR HALNON: I'd take that and run with 9 it.
10 MR. ESKINS: And then definitely the goal 11 of our research is to try to understand the technology 12 and figure out those applications for which AI is good 13 and maybe those applications for which it's 14 inappropriate.
15 MEMBER MARCH-LEUBA: But to detect, it has 16 to be in programs, I guess. So to detect that some 17 part of my system has been tapered with and behaving 18 abnormally, AI is perfect. Of course, you probably 19 detect when your reactor starts smoking, right? Maybe 20 before it starts smoking, you can see it. So it's not 21 a bad application.
22 CHAIR HALNON: Well, I was more concerned 23 and one of the reasons I asked to have it on here is 24 try to understand you mentioned the no so good use of 25 it. I'm thinking of the cyber hackers using it NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
225 1 against itself to learn its vulnerabilities and keep 2 on poking. To me, that's one of the worst things 3 about AI is the bad actors taking hold of it and being 4 able to use it more effectively than what we could use 5 it.
6 MEMBER MARCH-LEUBA: The beauty of AI 7 models is that not even themselves know how they work.
8 So it's very difficult too. And what you heard that 9 somebody just developed an AI model for the dark web.
10 So instead of you going into touring the 11 dark web, you can ask questions to this. I mean, it's 12 the same thing. So you can train them into bad 13 things.
14 And you can train them to write software.
15 You can train them to write malware. But that's what 16 you're hearing on the news. This application is 17 different.
18 MR. ESKINS: And that is a good comment.
19 I agree. That's one of the two main areas in which we 20 have concerns, how attackers would use AI and exploit 21 AI applications, vulnerabilities introduced by it. So 22 next slide.
23 Our research motivation for this is kind 24 of along the lines of what we discussed here is that 25 we've seen the increasing application of AI to NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
226 1 cybersecurity generally across multiple industries.
2 And also within the nuclear industry, we've seen more 3 and more discussions about applying AI to the nuclear 4 domain. So that intersection of those two areas, the 5 application of AI to nuclear cybersecurity, we feel 6 that there is a potential for future regulatory 7 concerns.
8 And we need to do the research or we want 9 to do the research now to be able to address those 10 concerns in the future. And as I just mentioned, the 11 two categories of those concerns. One is to ensure 12 the cybersecurity of licensees use of AI, and the 13 other, of course, is to look at what vulnerabilities 14 may be introduced and especially by the attackers of, 15 say, nuclear power plants who are using AI for their 16 attack.
17 So we're kind of interested in both those 18 areas. I think we'll go on to the next slide. So we 19 have one project. It's a future focus research 20 project that is directly related to this area of 21 nuclear cybersecurity and AI.
22 And this project is exploring whether 23 machine learning can be used to characterize nuclear 24 cybersecurity states. I will say this is future 25 research. So it's more blue sky and speculative than NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
227 1 our normal research projects.
2 So the funding for this comes out of a 3 different pot than our normal program office funded 4 activities. But the overall concept of this project 5 is can plant data be used to train a machine learning 6 model? And can that model then be used to 7 differentiate between cyber events and other events, 8 which could be normal behaviors or equipment 9 malfunctions.
10 We're also investigating if we can 11 distinguish or differentiate between different types 12 of cyber events. Now this is just basic research, so 13 we're just trying to understand the technology. But 14 if you're looking for an application in the near 15 future, it may be that the licensee would use this as 16 a sort of operator aid, not for direct control system.
17 Our goals are pretty straightforward with 18 this project. We wish to understand how we would 19 assess and validate these type of models. What 20 vulnerabilities are introduced by this technology, and 21 just basically to develop NRC staff competencies and 22 knowledge in AI and the application to nuclear 23 cybersecurity. I'll move on to the last topic which 24 is --
25 MEMBER BIER: Excuse me. Before you move NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
228 1 on, I want to make sure I understand what's intended 2 there. It sounds like you're anticipating that 3 machine learning could be used in kind of a worry 4 capacity, correct?
5 Like, we see something strange going on.
6 This could be a cyber issue. Some human should go 7 look into it. Is that accurate?
8 MR. ESKINS: I think that's a possible use 9 case. Because of the complexity of plants and the 10 cyber systems and so on, it'd be very difficult for a 11 single individual to gather and understand all that 12 information. So this may in the future be a useful 13 aid to help operators understand the state of the 14 plant and make decisions on what actions to take.
15 MEMBER BIER: Okay. Thank you.
16 MEMBER MARCH-LEUBA: This may not be 17 applicable to cybersecurity nuclear plants, but 18 cybersecurity detection. They have guys looking at 19 screens to identify patterns. This computer is 20 sending too many packets to the server in Finland.
21 And that I never seen before. And that's 22 something an AI can do very well. I don't know how 23 you would apply that to a system before your reactor 24 smokes. But certainly it's applicable. I like you.
25 MR. ESKINS: One of the things we're doing NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
229 1 with this project and we've partnered with Purdue 2 University. They have the only all digital I&C 3 research reactor. So it's very nice because we have 4 access to a lot of those underlying data because it's 5 digital already.
6 And we're looking at IT and TO data. And 7 we're still in the exploratory phase trying to figure 8 out what data sets are important to collect. What 9 kind of insights can we obtain, and what type of 10 machine learning models might be useful.
11 So we should complete this project in 12 about a year. And then we'll have a public report 13 that we publish detailing what we've learned. The 14 final area I'll --
15 MEMBER BROWN: When you say digital, you 16 mean software-based, not analog. You can build analog 17 digital circuits, I mean, without software. I've done 18 that before to control things.
19 It makes decision processes. You put data 20 in. It decides whether you're going to do this or 21 that or what have you. But it goes through logic 22 based on the inputs you've done. So I presume you're 23 meaning software-based distance. Okay.
24 MR. ESKINS: Yes, sir.
25 MEMBER BROWN: I just want to make sure I NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
230 1 knew what you were talking about. Digital is not --
2 it can be other than software.
3 MR. ESKINS: And I cannot say if they 4 don't have somewhere in the plant an analog meter or 5 so on. But my understanding is that data is being 6 converted over to digital form.
7 MEMBER BROWN: Absolutely, yeah, 8 absolutely. I wasn't saying that. That wasn't the 9 point. The point is that the overall process is 10 software-based going through a sample time and coming 11 up with the result at the end, not as opposed to a 12 digital logic where data is coming in and boom, boom, 13 steps through like a FPGA type thing.
14 MR. ESKINS: I believe they mentioned to 15 me last time they had a data collection breach of 16 about 20 hertz. So it was just a few minutes of 17 information. There's quite a pile elected from all 18 the different instruments which is a challenge in 19 itself to try to understand that data.
20 Okay. So wireless -- our last topic is 21 research on nuclear application of wireless 22 technologies. And now because we already discussed 23 wireless a little bit this morning and the technology 24 is ubiquitous, most people understand when I say 25 wireless what I mean. But for our project just to be NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
231 1 specific, we looked at recognizable protocols like 2 WiFi and Bluetooth.
3 But we also considered the more industry 4 protocols like ZigBee and WirelessHART. And also as 5 we discussed, the background here is it's a little 6 redundant. But a current licensee cybersecurity plans 7 which have to be approved by the NRC prohibit the use 8 of wireless in safety applications.
9 And what this does is in addition to 10 certain design features like deterministic data 11 diodes, it helps to establish isolation for the 12 safety-related systems as well as supporting the 13 required defense-in-depth for their cybersecurity 14 protected strategies. Now we're motivated to perform 15 this research because licensees have become very 16 interested in using or expanding their use of wireless 17 and nuclear power plants. And they desire to do this 18 because they want to reduce radiological exposure to 19 their staff or O&M costs, a couple of reasons.
20 And as we discussed it this morning, these 21 applications could include the installation of 22 monitoring and control functions on or near safety 23 equipment. Now this obviously could be a concern 24 because it could violate or it could affect the 25 isolation requirements that is the predicate for a lot NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
232 1 of our cybersecurity plans and analysis. Because it's 2 possible that licensees may want to engage with the 3 NRC to allow the use of wireless, we are conducting 4 this research.
5 And we are anticipating engagement to 6 address these issues. Some examples of the challenges 7 that we face or a licensee would face is ensuring that 8 any changes to a wireless system or any implementation 9 of wireless would maintain the same or better levels 10 of cybersecurity. Also that it would maintain the 11 required defense-in-depth requirements.
12 So one step that we are taking is to try 13 to learn from other applications of wireless and 14 safety critical applications. And we undertook a 15 research project in 2021 where we went out in a two-16 step approach. We looked at literature regulations 17 and guidance from other places on their use of secure 18 wireless.
19 And we also surveyed critical 20 infrastructure subject matter experts on how they use 21 wireless in safety critical applications. Now what we 22 found from this report was that there's a large amount 23 of material on the secure use of wireless in a 24 traditional IT network. But both are lit reviews and 25 interviews with subject matter experts indicated that NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
233 1 there is no significant use of wireless for safety 2 critical applications.
3 MEMBER MARCH-LEUBA: This was a 4 consequence of the fact that it was a problem with the 5 technology, the fact that people do not feel 6 comfortable using it, or there was no history, I don't 7 want to be the first one? What do you attribute it 8 to?
9 MR. ESKINS: The report listed these two 10 reasons that I can recall. One is the lack of 11 appropriate guidance.
12 MEMBER MARCH-LEUBA: I don't want to be 13 the first one.
14 MR. ESKINS: Right, right. And there were 15 considerable unknowns in how to implement this 16 securely.
17 MEMBER MARCH-LEUBA: Anybody concerned 18 about EMI, electromagnetic interference, on other 19 equipment? When you start beaming electromagnetic 20 energy in a room, your cables start getting it.
21 MR. ESKINS: We did actually. We had a 22 separate project which looked at those kind of issues 23 from a safety perspective. It's outside of 24 cybersecurity. But actually we kept an eye on that 25 report as well. I supposed an adversary could use NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
234 1 some sort of an EM pulse weapon to exploit that sort 2 of vulnerability as well. In this case, we just 3 looked purely at the cybersecurity implications.
4 MEMBER MARCH-LEUBA: Yeah, the Bluetooth 5 especially is a short length. You cannot pack my 6 Bluetooth device on the street. WiFi, you can do 100 7 feet. It has some advantages, but cybersecurity.
8 CHAIR HALNON: So with what you know now, 9 do you see an avenue where this wireless could be used 10 safely? I mean, I know you haven't really found any 11 place that it's being used at this point. But do you 12 see potentially an avenue where it could be?
13 MR. ESKINS: I would say it's too soon to 14 tell. We are just really beginning to explore this 15 area in research space. So I wouldn't venture to 16 comment on that right now. I don't know if anyone.
17 MR. GARCIA: I was going to say -- Ismael 18 Garcia. I was going to say do we have a following 19 effort, research that's getting to that question. If 20 you were to use safety-related functions, for example.
21 What needs to happen to do it --
22 CHAIR HALNON: Yeah, I mean, I know that 23 --
24 MR. GARCIA: -- in a safe and secure 25 manner?
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
235 1 CHAIR HALNON: -- industry is using it in 2 work controls and other things, business applications 3 for lack of a better term. But I know there's a high 4 desire to move into being able to employ the 5 technology to do this because the wiring and the fiber 6 optics and all that stuff is very expensive to do to 7 get into a place where we can do locally WiFi type, 8 then maybe not same frequencies. Maybe some way 9 encrypting it or whatever the case may be.
10 That would be highly desirable. Now when 11 we get into the advanced reactors, especially 12 potentially movable reactors, you're not going to have 13 the ability to wire up a new control room every time 14 you move the potential transportable reactor. So you 15 have to start thinking about, okay, how do we move the 16 whole infrastructure or this reactor control? And I 17 don't see any other economical way to do it other than 18 somehow wireless. But of course, I know you have to 19 make it safe too. So anyways --
20 MR. COOK: If I could make a comment.
21 CHAIR HALNON: Sure.
22 MR. COOK: Sure. I'm Chris Cook, Chief of 23 Instrumentation Controls, Electrical Engineering 24 Branch and Research. What I just want to add onto 25 that is one of the things that we're doing as Doug was NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
236 1 talking about is trying to make sure that we're 2 following the research that is being funded outside 3 particularly by DOE. There's a large effort through 4 LWRS, through other programs that are happening within 5 DOE where they're looking to try to use wireless.
6 We're trying to monitor their efforts and 7 work collaboratively. We have MOUs with DOE. We also 8 have MOUs with EPRI. And that's part of what we see 9 in the Office of Research is really understand as 10 they're pushing forward with looking at the 11 capabilities of technologies.
12 What are the vulnerabilities? What 13 changes would need to be made to the security 14 controls? I'm sure Brian can expand upon that and 15 some of the things that industry and other groups like 16 NEI you're already approach the agency about.
17 But that's really what we see our mission 18 as trying to help them be ready -- the staff be ready 19 for when that comes, if it comes. And looking at the 20 amount of money that these other federal agencies are 21 putting into it, I think it's more of an if -- sorry, 22 a more of a question of when and not if. It'll come.
23 CHAIR HALNON: That's good to hear because 24 obviously the regulatory process needs to be in 25 parallel, not --
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
237 1 MR. COOK: Yeah.
2 CHAIR HALNON: -- blocking it.
3 MR. COOK: And we're trying to be ready 4 for that. But we're also -- Member Brown, other 5 comments by other people, understood, clearly 6 understood that. And that's why we're looking at it 7 trying to see, well, how can we be ready for that?
8 What do we need to be looking at?
9 What are the controls, the other things 10 that need to be changed to put in place to have that 11 for the operating fleet because it's the O&M costs?
12 And then we're also trying to look ahead into whatever 13 would happen after the rulemaking go forward and the 14 guidance happens. And I realize it's more of the 15 advanced reactor type of meeting than the operating 16 ones. We're trying to be ready for that.
17 CHAIR HALNON: And it's not just you don't 18 have it. It's obsolescence. By the time you hook up 19 your computer at the house, it's obsolete. So just 20 trying to keep these plants going for 80 years. We 21 need to have new technology.
22 MR. COOK: And what we're seeing, like, 23 with DOE, they have the advanced monitoring program, 24 the program that's there. They're trying to go in and 25 say, can we, outside of our secure network, just put NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
238 1 a camera? Watching an analog gauge and then beam that 2 into control.
3 Can we remove particular surveillance for 4 fire watches if we just have a monitor that's there 5 that's all the time working? You don't have to worry 6 about them missing. So these are the things that DOE 7 is putting a lot of money into in funding and looking 8 out with different utility groups.
9 And so this is what we're trying to keep 10 up with. That's the fun part of our job is, like, 11 okay, what's going to happen. When is this coming?
12 How do we get ready for it to sort of see what are our 13 controls? Because they're looking at trying to put 14 these technologies out there. But we're looking at 15 with our different perspective of what are the safety 16 and security impacts on making sure we fully flesh 17 that out.
18 CHAIR HALNON: Thank you.
19 MR. COOK: Yeah, thank you.
20 MR. ESKINS: Thanks for those comments, 21 Chris. Appreciate it. So the results of this report 22 have been published in a technical letter report with 23 the ADAMS session number on this slide. This is just 24 our first step in trying to explore the nuclear 25 wireless cybersecurity problem space. As Ismael just NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
239 1 mentioned, we have an ongoing project to do a security 2 impact assessment on a wireless application. And of 3 course, we are monitoring other activities and hoping 4 this will inform future research in this area.
5 MEMBER BROWN: I thought you were done.
6 MR. ESKINS: I am.
7 MEMBER BROWN: Then I'll raise my hand.
8 We're going to do all this wireless and where are we 9 going to store all the batteries for all the remote 10 wireless devices we're laying around. I mean, if --
11 MEMBER MARCH-LEUBA: That's what the power 12 cable is for.
13 MEMBER BROWN: Well, we're just seeing as 14 Greg said, you got to run this cable down there to get 15 this data back out. Well, we're going to have to have 16 battery storage, thousands of batteries sitting up 17 there, all different kinds because nobody will use the 18 same type of battery. And they won't use the ones you 19 can buy in the hardware store.
20 There'll be special ordered that you have 21 to go online to guy because there'll be no store to go 22 to. There's a little bit of a supply -- it's not a 23 supply chain issue. It's a matter of uniformity of 24 what you could do.
25 If you're going to do wireless, you sure NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
240 1 as heck better think about what you're going to do.
2 And you also have to make sure, like, with my high 3 tech smart phone. I walk three feet in my house and 4 I go from two bars to none. So depending on the 5 wireless system you have set up, of course, this is an 6 exception. You've got your towers that you have to 7 deal with and there's loads.
8 You're going to have the same type of 9 things. So the pattern when you walk around a hunk of 10 big huge wall that's all steel, you might all of a 11 sudden not have information. So there's a lot of 12 other little nuances that need to be thought about 13 with this.
14 And I haven't heard a single person tell 15 me about the thousand batteries they're going to use 16 once you hook up all these wireless things because 17 they're all unique locations. Every instrument will 18 need a new wireless device to broadcast because 19 otherwise you got to run cables between them with 20 other sensing devices, computational devices, and 21 input devices to get the data where it can be used by 22 the wireless thing you're using. There's a lot of --
23 people talk about how nifty it is.
24 I'm a great one for -- one of the 25 arguments these days in the plant world is for backup NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
241 1 systems. Could you be allowed to use diverse software 2 type systems or backup systems as opposed to hard wire 3 switches to turn your pump on or off in the existing 4 reactors and stuff like that? I'm not going to use a 5 new set of complex diverse software that I have to 6 validate that doesn't ever get compromised as opposed 7 to a switch that I turn and the motor stops if the 8 rest of the plant has been compromised for some -- or 9 you don't have access to the main control room.
10 Small thoughts like that just seem to be 11 dismissed. I just think you have to be careful as 12 you're walking down the path. There are some valid 13 uses or critical uses when you talk about high 14 radiation areas.
15 Then you make -- do I want to run a cable 16 or does the wireless device give me better, more 17 suitable results? And that could be a battle between 18 simplification of the cables or the more complex 19 wireless. I'm not sure I know how I would probably 20 votes. But you'd still need a battery for the 21 wireless device.
22 CHAIR HALNON: You can tell what keeps 23 Charlie up at night.
24 MEMBER BROWN: I hate to say it, but I do.
25 I worry about this stuff. I know we got to look at NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
242 1 it. You can't ignore it. It's just like you were 2 talking about the AI machine learning a minute ago.
3 You made the comment about it can build 4 models, the physics models we build using our brains.
5 But hold it. If it's going to build models, it's got 6 to have physics embedded in it and somehow be able to 7 use that physics. And it's the same physics you would 8 be manually building the model with.
9 So the training is all what you would be 10 using. And now you're going to embed it. And now you 11 get all the nuances that you know are embedded in that 12 training into it. That's another difficult problem in 13 itself.
14 CHAIR HALNON: Let's go ahead and move on 15 before another --
16 MEMBER BROWN: Oh, I've got more.
17 CHAIR HALNON: I know. That's what I'm 18 saying.
19 (Simultaneous speaking.)
20 MEMBER MARCH-LEUBA: I need to add 21 something for the record because I don't dislike 22 (audio interference). I know you don't know what a 23 smart TV is.
24 MEMBER BROWN: What?
25 MEMBER MARCH-LEUBA: Smart TV. I have NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
243 1 many of those in my house. You just go plug it to the 2 120 volt and they work. WiFi, they could get the 3 signal. And everything works fantastic. So even 4 though you have a power cable doesn't mean I have an 5 ethernet cable.
6 MEMBER BROWN: No, I got a smart TV, but 7 I'm not.
8 CHAIR HALNON: All right. Let's bring it 9 back, guys.
10 MEMBER MARCH-LEUBA: So there are 11 applications. There are applications where certainly 12 I wouldn't want to have a cable for my smart TV.
13 CHAIR HALNON: Okay. Take control.
14 MEMBER BROWN: Mine's got a cable.
15 MS. ANTONESCU: There's a bunch of 16 research that --
17 CHAIR HALNON: No, you're on. It's just 18 you got to state your name.
19 MS. ANTONESCU: Oh, Christine Antonescu.
20 Some of the research that was undertaken with Oak 21 Ridge National Lab. I don't know if you're aware. I 22 think two of them at least assessing the impact of 23 wireless technology and the other one as deploying 24 wireless technologies for safety systems. So I don't 25 know if you're aware of them.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
244 1 But we've done a lot of work. Research 2 was ahead of the game about ten years ago on wireless.
3 I was part of it.
4 MEMBER MARCH-LEUBA: I never copied.
5 MS. ANTONESCU: Yeah.
6 MEMBER MARCH-LEUBA: The email numbers.
7 CHAIR HALNON: Okay.
8 MS. ANTONESCU: I have to find the NUREG 9 numbers. I forgot.
10 CHAIR HALNON: Doug, go ahead and wrap up 11 your presentation.
12 MR. YIP: I can wrap up. This is Brian 13 Yip. I'll just wrap up by thanking Dr. Eskins, Dr.
14 Kim for their presentations and as well as to Chris 15 and the rest of his branch. As you saw, these are 16 really complex topics and their work is critical to us 17 being able to review these appropriately once they 18 come down the pipe to us.
19 Many of these topics are interrelated.
20 Like we saw the discussion about machine learning and 21 how that might apply to autonomy or operations and 22 wireless. We'll just highlight these three bullets 23 here, just highlight some additional research we 24 didn't cover in this presentation today. But we're 25 looking at EPRI has an approach called the technical NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
245 1 assessment methodology.
2 We're looking at that approach and how it 3 looks. Critical digital assets, how you look at their 4 attack surface. And then address different ways that 5 they can be exploited by security controls.
6 We're looking at that and similar 7 approaches and how licensees might be able to apply 8 them in novel ways, including during digital I&C 9 upgrades. I know Vogtle used that approach for some 10 of its applications too. Just looking to see where 11 that might also be able to be applied.
12 Also looking at digital I&C upgrades. The 13 current research is looking at all of the security 14 controls in the cybersecurity plans and sort of a 15 final life cycle approach to them. So if a plant 16 wanted to start thinking about cybersecurity in 17 advance during a digital I&C upgrade process, what 18 controls might they consider during the design, during 19 early on in the upgrade if that's their advantage.
20 And the lastly although there are a lot of 21 -- some are rigid cybersecurity controls in the 22 security plans, there are processes for plans to take 23 an alternate approach if that's appropriate. And so 24 research is also helping us look at how we think about 25 what is a alternate approach and how inspectors might NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
246 1 be able to assess those out in the field. With that, 2 I'll just say thank you and turn it back over to you.
3 CHAIR HALNON: Thank you, Brian. Members 4 or consultants, any other questions?
5 Okay. This time, we'll go out for 6 comments from the public. Anyone from the public 7 desires to make a comment, please unmute yourself.
8 Identify yourself and state your comment. I'll wait 9 for a couple minutes. So anyone from the public want 10 to make a comment at this time?
11 Okay. Not hearing any comments, I'll go 12 ahead and close the meeting. I want to thank the 13 staff. You all did a fantastic job bringing this all 14 together and a very comprehensive topic.
15 Also wanted to thank, if you guys would 16 pass on to Ryan from DHS, for joining us today. It's 17 a very important topic. I'm sure that we'll -- as the 18 technology moves on, we'll probably maybe next year 19 ask for an update.
20 Probably shorter, but we do appreciate the 21 passing along of information and everything that you 22 were able to bring to us. The information that we 23 heard today and the dialogue that we had look at 24 future reactors. Every time we get to the advanced 25 reactor application, we talk a little bit about NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
247 1 autonomous, wireless, all kinds of things.
2 And knowing that you guys are looking at 3 this and aggressively going after it will help. And 4 certainly if we come up with any show stopping type 5 questions in any of our reviews, we'll call on you to 6 come in and help us understand how we get beyond that.
7 Again, I want to thank you, Brian. Thank you for your 8 staff, Chris, for coming in. Last chance, any 9 members?
10 MEMBER REMPE: I want to thank not only 11 the staff but also you and Christina and Charlie and 12 Jose because I think all of you worked together to get 13 this together.
14 CHAIR HALNON: Yeah, I appreciate that 15 because especially what Dan and Christina put together 16 the agenda. And we had a couple scheduled meetings 17 that were very good. So everyone did a fine job 18 getting this put together.
19 Like I said, it's very broad. As we know, 20 we went around the circle a few times on some of these 21 things. So thank you for reminding me. Anything 22 else?
23 MEMBER MARCH-LEUBA: Yeah, I wanted to 24 thank you guys. As I say at the end of these 25 presentations, if I talked too much, it's because the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
248 1 topic is interesting. So if you look at the topic, 2 the transcripts, and you see, Jose, shut up, it's 3 because it's boring.
4 I was not complaining about your devices 5 or your approaches. I did have an agenda. I make a 6 prediction. I won't be here forever. I'm making a 7 prediction that one of these days we're going to have 8 a cyberattack in an operating plant.
9 And you guys are going to be on CNN all 10 weekend. And they're going to call on you and say why 11 didn't you prevent? So I do have an agenda. I know 12 that this is serious.
13 As much as I love research, I love 14 research most of my life. We protect operating 15 reactors. And it's not just the nuclear island and 16 the RPS. It's everything that is around it.
17 We need to protect the aquarium. And 18 every time you guys go to a power plant and do an 19 audit on the cyber protection system, ask them what is 20 their program and is it protected. Because somebody 21 is going to get into one and we have a lot of egg in 22 our faces when we say that we have a program, and we 23 have audited, and this still went past us. Thank you.
24 CHAIR HALNON: We started with an aquarium 25 of dead fish and we're ending with an aquarium of dead NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
249 1 fish. Charlie, you had --
2 MEMBER BROWN: Another dead fish here.
3 No, I've made a lot of what sounds like very 4 skeptical, negative, critical comments. I am 5 skeptical, but its' incumbent upon us to be skeptical.
6 And as Jose noted, we're both very, very 7 cautious when we look at this whole world. And even 8 I don't want to take comments or questions as negative 9 because it was really to engender the input that we 10 got from all the presenters, okay, relative to the 11 subject. It's a very important subject and it's 12 getting more and more as the days and months go on.
13 So I just really appreciated the candid 14 back and forth, the disagreements when you disagreed 15 which was just fine. That's why we do it. I did want 16 to thank everybody, and that's all. You can pass it 17 on to the earlier presenters as well because I thought 18 the meeting came out very, very well.
19 CHAIR HALNON: Thank you, Charlie. Vesna.
20 MEMBER DIMITRIJEVIC: Well, I was quiet 21 most of the meeting. But I just really want to thank 22 for the great presentation. I took a million notes.
23 I just want to make a comment which I 24 actually find most fascinating that you didn't talk 25 about this 53 and technology includes risk informed NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
250 1 and performance based. And I think that this is the 2 area where this is totally not applicable first 3 because this is not technology inclusive. Technology 4 is unlimited.
5 They're merging. They're growing every 6 day. Performance based, there is no way that we can 7 make performance because as Jose pointed in the 8 beginning, the challenges -- numerous challenges 9 coming every day.
10 And then what is my area when it comes to 11 the risk informed, risk informed is only possible if 12 we don't really define pre-release. And this million 13 new risk challenges come with that. Totally something 14 never considering the PRA or, you know, like, what 15 happened errors of commission or the -- it doesn't 16 have to happen during the plant operation.
17 If we look what in Chernobyl, in the 18 different test and maintenance. So it's a fascinating 19 area. And my favorite slide is this last slide with 20 the million question marks lined down because that's 21 something which we will be addressing in the future.
22 So thank you.
23 CHAIR HALNON: Thank you, Vesna. At the 24 risk of someone taking me up on it, I'm going to look 25 around the room one more time. Okay. We thank you NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
251 1 again. And with that, meeting is adjourned.
2 (Whereupon, the above-entitled matter went 3 off the record at 2:58 p.m.)
4 5
6 7
8 9
10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3(27021) 234-4433
NPP Cybersecurity Current Status and Contemporary Threats Dan Warner Cyber Security Branch (CSB)
Division of Physical and Cyber Security Policy (DPCP)
Office of Nuclear Security and Incident Response (NSIR)
US NRC Cybersecurity Program Full Implementation Inspections Full Started Implementation Inspections Full Implementation Completed Inspections at all Licensee Sites Baseline 2017 2018 2019 2020 2021 2022 Inspection Program continues Biennial Baseline inspections start
Key Messages
- Cybersecurity controls in place at nuclear power plants provide defense against attack pathways of concern.
- Programmatic controls ensure that the cyber program is positioned to address the ever-changing threat environment and ensuring defense-in-depth is maintained.
- Inspection program verified licensee implementation of cybersecurity programs and now reviews program maintenance.
Definitions
- Critical System - An analog or digital technology-based system in or outside of the plant that performs or is associated with a safety-related, important-to-safety, security, or emergency preparedness function.
- Critical Digital Asset (CDA) - A digital computer, communication system, or network that is:
- A component of a critical system; or
- A support system asset where failure/compromise by cyberattack would result in an adverse impact to SSEP function
Definitions
- Types of CDAs and Required Controls:
- EP CDAs - CDAs associated with EP functions that do not have an independent and diverse alternate method to perform the EP function.
- Controls: Baseline controls or full direct CDA controls.
- Controls: Addressed in subsequent slides.
- Indirect CDAs - CDAs that cannot have adverse impact on safety or security functions prior to detection/compensation of compromise/failure implemented.
- Controls: Baseline cybersecurity controls.
- Controls: Determined through cybersecurity controls assessment.
Baseline Cybersecurity Controls
- The following controls are the baseline cybersecurity controls for EP, Indirect, and BOP Scram/Trip CDAs.
- Located within the PA/VA, or NEI 08-09 Section E.5 controls applied.
- No active wireless internet communication on CDA or interconnected assets.
- CDA and interconnected assets are air-gapped or isolated by deterministic device.
- Portable media use is controlled in accordance with NEI 08-09 D1.19.
- Changes to CDA are evaluated and documented before implementation.
- CDA or interconnected equipment affected by compromise of CDA periodically checked to ensure it is can perform its intended function.
- Ongoing monitoring and assessment is performed to verify the baseline security criteria remain in place.
Attack Pathways
- Licensees are required to ensure all potential attack pathways are protected. These include:
- Physical access
- Wired connectivity or communications
- Wireless connectivity or communications
- Supply chain
- Portable media and mobile devices (PMMD).
Attack Pathways: Physical Access
- Physical access controls ensure only the appropriate personnel are able to interface physically with a CDA.
- Sample applicable controls:
- Access control policy and procedures
- Account management
- Access enforcement
- Physical access controls
- Least Privilege
- Logging
Attack Pathways: Wired
- Wired access controls ensure only the appropriate personnel are able to interface with a CDA using a wired network.
- Sample applicable controls:
- Access control policy and procedures
- Account management
- Access enforcement
- Physical access controls
- Least privilege
- Logging
- Network access control
- Open or insecure protocol restrictions
- Insecure and rogue connections
- Use of external systems
Attack Pathways: Wireless
- In addition to the previous controls, wireless access controls ensure the implementation of adequate protections and procedures to minimize the cyber risk associated with the use of wireless technologies.
- Sample applicable controls:
- Only allowing wireless access through a boundary security control device.
- Prohibiting use of wireless for CDAs associated with safety-related and important-to-safety functions.
- Disabling wireless when not used.
- Conducting scans or employing a wireless intrusion detection system for unauthorized wireless access points and disabling them if they are discovered.
Attack Pathways: Supply Chain
- Supply chain controls ensure cybersecurity risks throughout the supply chain are identified, assessed, and mitigated.
- Sample applicable controls:
- System and services acquisition policy and procedures
- Supply chain protections
- Trustworthiness
- Developer security testing and evaluation
- Licensee/Applicant testing
Attack Pathways: PMMD
- Portable media and mobile device (PMMD) controls ensure the implementation of adequate protections and procedures to minimize the cyber risk associated with the use of unapproved PMMD.
- Sample applicable controls:
- Usage restrictions and implementation guidance for controlled PMMD.
- PMMD only used in one security level and are not moved between security levels.
Programmatic Controls
- Programmatic controls are necessary to maintain security throughout the life cycle of CDAs. One of the primary purposes of these controls are to ensure that as the threat environment evolves, licensee systems remain secure from cyber-attack.
- Sample programmatic controls:
- Continuous monitoring and assessment
- Periodic assessment of security controls
- Effectiveness analysis
- Vulnerability assessments and scans
- Configuration management
- Change control
- Security impact analysis of changes and environment
- Cybersecurity program review
Vulnerability Management
- To protect against the ever changing threat environment, nuclear licensees are required by their CSPs to address ongoing threats and vulnerabilities to CDAs by performing vulnerability assessments or scans and evaluations to identify applicable corrective actions required to mitigate/remediate vulnerabilities to maintain adequate defense-in-depth and prevent CDA compromise or exploitation. The following are some of the controls used to address vulnerability management:
- Installing operating systems, applications, and third-party software updates
- Flaw remediation
- Security alerts and advisories
- Contacts with security groups and associations
- Evaluate and manage cyber risk
Defense-in-Depth
- As stated in 10 CFR 73.54(c)(2), the licensee must design its cybersecurity program to apply and maintain integrated defense-in-depth protective strategies to ensure the capability to detect, prevent, respond to, mitigate, and recover from cyberattacks. An acceptable defense-in-depth protective strategy includes:
- A defensive architecture that describes a physical and logical network design that implements successive security levels separated by boundary control devices with segmentation within each security level.
- A defensive strategy that employs multiple, diverse, and mutually supporting tools, technologies, and processes to effectively perform timely detection of, protection against, and response to a cyberattack.
Implementation Guidance
- 1. Cyber Security Assessment Team
- 2. Identify Critical Digital Assets (CDAs)
- 3. Implement Defensive Architecture
- 4. Apply Security Controls to CDAs
- 5. Cyber Security Program Must Include These Areas to Support Implementation 6/4/2023
Full Implementation Inspection Resources (2017-2021)
- Inspection Procedure IP 71130.10P NRC Lead
- Team Composition (four-person team) inspector
- Two regional inspectors
- Two contractor SMEs NRC 2 NRC inspector Contractors
- The initial round of full implementation inspections were completed in 2021 and Available HQ Support focused on ensuring licensees were in (remotely) to staff compliance with the requirements for the team as establishing their cybersecurity needed program.
- These inspections consisted of a week onsite followed by an offsite week, followed by a 2nd week onsite
Current Inspection Program Resources
- Inspection Procedure IP 71130.10
- Team Composition (four-person team) NRC Lead inspector
- Two regional inspectors
- Two contractor SMEs NRC 2 NRC
- Inspections focus on reviewing changes inspector Contractors to the program and ensuring licensees are implementing their programs to Available HQ Support ensure cybersecurity is implemented (remotely) to staff throughout the lifecycle for newly the team as needed installed CDAs.
- Current inspections consist of a prep week offsite then 1 week onsite.
Questions Government Interaction: Coordination Between NRC/NERC/FERC and the Role of DOE and CISA Dan Warner Cyber Security Branch (CSB)
Division of Physical and Cyber Security Policy (DPCP)
Office of Nuclear Security and Incident Response (NSIR)
Key Messages
- NRC has a long history of engagement and cooperation with FERC, DHS/CISA, and other Federal partners on cybersecurity and other issues.
- NRC's engagement with FERC on cybersecurity ensured appropriate protection for balance of plant CDAs.
- The Cyber Assessment Team process is designed both to coordinate internal response to cyber issues as well as support early engagement with interagency partners.
BOP Background
- January 2008 - FERC issued Order No. 706 which specified Critical Infrastructure Protection (CIP) Reliability Standards to safeguard critical cyber assets.
- Exempts facilities regulated by the NRC.
- March 2009 - NRC issued 10 CFR 73.54, Protection of Digital Computer, Communications, and Networks to NRC power reactor licensees.
- Did not cover all balance-of-plant (BOP) equipment at NRC power reactor facilities, creating potential gap between NRC and FERC cybersecurity requirements.
- March 2009 - FERC issued Order No. 706-B to clarify that NPP BOP systems and equipment not within the scope of 10 CFR 73.54 are subject to CIP standards approved in Order No. 706. Nuclear facilities were allowed to seek exemptions from NERCs CIP standards on a case-by-case basis for those digital assets that they believed were subject to the NRCs cybersecurity requirements.
BOP Background Cont.
- December 2009 - NRC and NERC sign memorandum of understanding (MOU) addressing they would handle respective authorities over NPP cybersecurity issues.
- 2010 - NERC sent Bright-Line survey to NPPs requesting that they determine which of their SSCs were potentially subject to NERC CIP standards and which were potentially subject to NRC cyber security regulations.
- In August of 2010, NERC informed the NRC that based on the responses to the Bright-Line Survey, NERC concluded the assignment of regulatory authority for the BOP SSCs from the NERC CIP standards to the NRC cyber security authority was acceptable.
- Memoranda between the NRC and NERC/FERC discussed in more detail in subsequent slides.
BOP Changes
- In November 2012, NERC adopted CIP-002-5 on how to identify and categorize Bulk Electric System (BES) cyber systems and associated cyber assets based on adverse impact of loss, compromise, or misuse could have on the reliable operation of the BES.
- In 2022, NRC approved for use revisions to NEI 10-04 and NEI 13-10, which incorporate the graded approach in the latest versions of the NERC-CIP standards. This approach uses a number of criteria, primarily electrical output of a facility, to determine if they are Low Impact (1500 MWe or less) or Medium Impact (greater than 1500 MWe) to the Bulk Electric System and the required cybersecurity controls.
- NRC staff coordinated with staff in the FERC Office of Electric Reliability to ensure the changes being made were consistent with the latest NERC CIP.
Low Impact Controls
- CIP Reliability Standard 003-7 defines the cyber security controls to be applied to BES Cyber Systems. For Low Impact CDAs (called BOP CDAs), the following cybersecurity controls apply:
- Cyber Security Awareness
- Physical Security Controls
- Electronic Access Controls
- Cyber Security Incident Response
- Transient Cyber Assets and Removable Media malicious code risk mitigation
- Declaring and responding to CIP Exceptional Circumstances
Medium Impact Controls
- CIP Reliability Standard 003-7 defines the cyber security controls to be applied to BES Cyber Systems. For Medium Impact CDAs (called BOP-SCRAM/Trip CDAs), the Low impact cybersecurity controls apply plus the controls listed below. The baseline cybersecurity controls discussed in the previous presentation apply to these CDAs. There are currently no CDAs identified as Medium Impact at NPPs.
- Personnel and Training
- Electronic Security Perimeters
- Physical Security Controls
- System Security Management
- Incident Reporting and Response Training
- Recovery Plans
- Configuration Change Management and vulnerability assessments
- Information Protection
- Declaring and Responding to CIP Exceptional Circumstances
NERC CIP-003-9 Analysis
- CIP-003-9 was recently released and includes an additional control for Low Impact facilities.
- CSB staff reviewed CIP-003-9 to determine what changed from the previous revision and if it impacts BOP CDAs.
- CIP-003-9 adds an additional control specific to Low Impact power generation facilities which requires facilities to implement vendor electronic remote access security controls.
- Staff reviewed the controls required in the revised NEI 13-10 Rev. 7 and determined that the existing controls in Section 3.2 include electronic access controls; air gapped or isolated by a deterministic device for any Low Impact BOP CDAs. This existing control already ensures the new vendor remote access control requirements are addressed and therefore no further action is required by NRC power reactor licensees.
Federal Agencies Department of Homeland Security Department of Energy Federal Energy Regulatory Nuclear Regulatory Commission Cybersecurity and Infrastructure Security Agency Commission Cyber Security-Related Responsibilities
- Lead the National effort to understand
- Responsible for advancing the
- Regulates the interstate
- Regulatory oversight and manage cyber and physical risk to energy, environmental, and transmission of electricity, responsibility of the the U.S. critical infrastructure nuclear security of the U.S. natural gas, and oil Nuclear Reactors critical infrastructure sector
- Their responsibilities include
- The Office of Cybersecurity,
- A memorandum of communicating threats/vulnerabilities Energy Security, and agreement between NRC
- Perform cybersecurity and provide incident response services Emergency Response leads and FERC facilitates inspections at nuclear for the U.S. critical infrastructure the Department of Energys interactions on matters power plants emergency preparedness and pertaining to nuclear
- The NRC would interface with the coordinated response to power plant cybersecurity
- Coordinates with other Cybersecurity and Infrastructure disruptions to the energy federal agencies as Security Agency during a significant sector, including cyber-attacks
- NRC and FERC needed on matters cyber incident at an NPP licensee coordinate activities pertaining nuclear power
- The NRC would interface with regarding nuclear power plant cybersecurity DOE during a significant cyber plant cybersecurity incident at a nuclear power plant
Cyber Assessment Team (CAT)
- CAT is a team of headquarters and regional cyber experts that activates in response to cyber events at NRC licensees:
- Includes NSIR cyber security staff, HQ SMEs, and regional cyber security inspector.
- Evaluates cyber events at NRC licensees (primarily power reactors).
- Assesses the severity of the event and recommends actions to agency leadership.
- CAT assists in internal coordination between headquarters and regions.
CAT Activation
- CAT is primarily activated by the Operations Center in response to licensee event reports under 10 CFR 73.77.
- Any reportable cyber event under 73.77(a) triggers notification of the CAT Lead.
- There have been no 73.77 reports since the rule took effect in 2015. There have been incidents on non-regulated licensee systems such as corporate networks, but the CAT was not activated in part due to privacy concerns.
- Management, the CAT Lead, or regional staff can request activation of the CAT based on information received from/about a licensee or other industry cyber event.
- CAT has activated to leverage the process to assess non-licensee cyber events.
Example of CAT Interaction with CISA
- CAT lead is notified of an incident involving a licensees business network, such as a ransomware attack or exfiltration of data.
- CAT lead determines if the incident would have an impact on NRC regulated systems. If not, no further activation of the CAT is needed.
- CAT lead works with CSB Chief to determine if any briefing documents for management need to be prepared and if any courtesy notifications need to be made to DHS/CISA.
- If CISA notification is needed, contact is made with the Nuclear SRMA and Threat Hunting groups to ensure awareness and provide points of contact for any necessary follow-up.
DHS Threat Hunting NRC Training
- NRC staff are working with staff from the DHS Cybersecurity Divisions Threat Hunting team, who are responsible for responding to cybersecurity incidents at critical infrastructure facilities, to help familiarize them with nuclear technology.
- The Threat Hunting team visited the NRCs Technical Training Center to attend a session of R-105, Nuclear Technology for Security Course.
- The team will be visiting the Millstone power plant to become familiar with a licensee facility and will also be participating in a short class on radiation protection later this year.
Questions NRCs Coordination with FERC and NERC Jorge A Cintron-Rivera Office of Nuclear Reactor Regulation Division of Engineering and External Hazards Long Term Operations and Modernization Branch
Outline
- Purpose and Objectives
- Background
- NRC and FERC Requirements and Standards
- Common interests
- Interagency agreements (IAAs) and interactions
- Memoranda of understanding (MOUs)/Memorandum of agreement (MOA)
- Responsibilities for the Nuclear Regulatory Commission (NRC), Federal Energy Regulatory Commission (FERC), and North American Electric Reliability Corporation (NERC)
- NRC-FERC Jurisdiction Boundaries
- Example Scenario of Coordination Between Agencies
- 2021 Texas cold weather event
Purpose and Objectives
- Brief the Advisory Committee on Reactor Safeguards (ACRS) on government interactions for protecting the grid and power conversion
- Familiarize the ACRS on the agreements between the NRC, FERC, and NERC to facilitate communications between the agencies
- Discuss the regulatory jurisdictions for each agency to protect the grid
Background
- The August 14, 2003, blackout in the Northeastern United States highlighted the need for formal agreements between the NRC and FERC, to ensure communication and coordination
- IAAs/MOUs/MOAs facilitate the coordination between the agencies
- Roles and responsibilities for each agency
- Guidelines for cooperative work
- Currently, there are 4 active IAA/MOUs/MOA (related to the grid)
NRC and FERC Common Interests Requirements and Standards Protecting the Grid
- The NRC evaluates the design and operation of nuclear power plant electric power grid systems
- General design criterion (GDC) 17, Electric Power Systems
- 10 CFR 50.65, Requirements for Monitoring the Effectiveness of Maintenance at NPPs
- Technical specifications
- Generic Letter 2006-02: Grid Reliability and the Impact on Plant Risk and the Operability of Offsite Power
- FERC regulates the interstate transmission of electricity
- Focuses on reliability, integrity, security, and operation of the Bulk Power System (BPS or electric power grid)
- Provides oversight of NERC
- NERCs mission is to assure the effective and efficient reduction of risks to the reliability and security of the grid
- Develops and enforces reliability standards
- Annually assesses seasonal and longterm reliability
- Monitors the bulk power system through system awareness
- Educates, trains, and certifies industry personnel.
Nuclear Safety & Security Enhanced by Interagency Agreements and Interactions NRC-FERC MOU/MOAs:
--Grid Reliability, Cyber Security and Physical Security (MOA)
--Dam Safety Interagency Agreement (IAA)
--Critical Energy/Electric Infrastructure Information (MOU)
NRC-NERC MOU
--Security (Cyber/Physical)
Grid Reliability, Cyber Security, and Physical Security MOA
- Facilitate interactions between the NRC and FERC on matters of mutual interest related to the reliability of the Nations electric power grid and nuclear power plant safety and security
- Cybersecurity
- Emergency Response
- Provides guidelines for sharing of operational event information between the NRC and FERC
- Agreement to coordinate activities relating to cybersecurity and physical protection of shared critical infrastructure assets, including the sharing of information on threats.
- MOU was revised in 2022
- Active until 2027
Dam Safety IAA
- Provides guidance to the NRC and FERC for implementing the NRC Dam Safety Program
- FERC assists the NRC by providing expertise to conduct inspections of dams
- SECY-91-193 establishes the NRC Dam Safety Program Plan
- Ensure compliance with Federal Guidelines for Dam Safety
- Currently, there are eight (8) dams that come under NRC jurisdiction
- 7 of the dams are at operating power reactors
- 1 of the dams is at uranium recovery facility
- Statement of Work provides guidance on performing inspections of the dams
- IAA was issued in 1992
Critical Energy/Electric Infrastructure Information MOU
- Agreement between the NRC and FERC to ensure the safety and security of the electric grid by protecting Critical Energy/Electric Infrastructure Information (CEII)
- The NRC staff is responsible for initially identifying information in its custody that contains CEII
- MOU was issued in 2018
- 5-year extension memo signed in 2022
Cyber and Physical Security MOU
- Establish the roles and responsibilities between the NRC and NERC as they relate to the application of their respective cyber and physical security requirements for the protection of digital assets at U.S. NPPs
- NRCs focus is the prevention of radiological sabotage.
- NERCs focus is on the reliability of the bulk-power system
- The MOU establishes inspection protocols for each agency
- Digital assets that can affect safety, security, and emergency preparedness vs. digital assets related to continuity of power
- Provides guidelines for the sharing of all information to carry out the intent of the MOU
- MOU was revised in 2015
NRC-FERC MOA NRC-FERC CEII MOU NRC-FERC Dam Safety IAA Regulatory Oversight Oversight Title 10 of the Relationships Code of the Federal Regulations Reliability Standards
NRC-FERC Jurisdiction Boundaries Transmission Lines Subtransmission 765, 500, 345, 230, 138 kV Customer 26 and 69 kV Nuclear Generating Station Primary Customers 13 and 4 kV Substation Step-Down Transformer Secondary Customers 13 and 4 kV Transmission Customers FERC Jurisdiction NRC-FERC Joint Jurisdiction*
NRC Coordination with FERC & NERC Technical, Regulatory and Policy Coordination
- NRC consults with FERC/NERC staff for transmission system status when NPPs request enforcement discretion
- Exchange information of interest during incidents affecting the grid such as severe weather, dam safety inspection coordination, and EMP.
Overview: 2021 Texas Cold Weather Event Unprecedented Cold Comanche Peak 1 & 2 South Texas Project 1 & 2 Weather
- Both sites remained safe
- Neither units shut down
- One unit safely shutdown due during degraded grid
- Proactively started an onsite to a frozen instrumentation conditions emergency diesel generator line
Coordination: 2021 Texas Cold Weather Event
- The NRC staff coordinated multiple meetings to identify the role of each agency in Texas
- Clearer understanding of the responsibilities of FERC, Electric Reliability Council of Texas (ERCOT) and the transmission system operators
- FERC issued a report that investigated the cold weather event
- Report included recommendations for preparing for cold weather events
- The NRC staff hosted a workshop on the 2021 Texas Weather Event
- FERC provided status of recommendations
Summary
- The agreements facilitate a continuing and cooperative relationship between agencies to enhance nuclear safety and security
- The agreements provide an avenue to exchange experience, information, and data related to reliability of the grid
- The agreements optimize utilization of agency resources and prevent overlap while allowing agencies to carry out their respective responsibilities
Questions ACRS Subcommittee Meeting May 17, 2023 NRC Staff Efforts for Cybersecurity of Advanced Reactors Ismael Garcia Division of Physical and Cyber Security Policy (DPCP)
Office of Nuclear Security and Incident Response (NSIR)
Draft Cyber Security Requirements for Advanced Reactors 2
Background - Found in 10 CFR 73.54 Power Reactors Protect digital assets that perform Cyber specified functions Requirements Protect from cyber attacks up to an including a DBT 3
Proposed New Cyber Requirements 10 CFR Part 53 Preliminary New Cyber development for Proposed Rule Requirements in Advanced Reactors Language Proposed Rule Publicly Available 4
Preliminary Proposed Cyber Requirements Under the 10 CFR Part 53 rulemaking, the new Cybersecurity Program cybersecurity framework would ensure that digital Designed in a manner that is commensurate with the potential consequences computers, communication systems, and networks are adequately protected against cyberattacks that may result in Continuous monitoring Digital Assets and assessment Safety Configuration Offsite radiation doses that endanger management Defense in Depth public health and safety.
Confidentiality Integrity Vulnerability scans Emergency Availability Preparedness Ongoing assessment of security A degradation in the physical controls and effectiveness protection of radioactive material.
Security Cybersecurity event notifications
Reference:
Part 73.110, "Technology-inclusive requirements for protection of digital computer Note: This staff-proposed rulemaking has been documented in a SECY and is with the and communication systems and networks, ADAMS Accession Number ML21162A093 Commission for review. More information on the rulemaking process is available at https://www.nrc.gov/about-nrc/regulatory/rulemaking/rulemaking-process.html. 5
10 CFR 73.110 Draft Regulatory Guide Concepts 6
Draft Regulatory Guide Development An acceptable Effective guidance Leverage approach for to support a IAEA and IEC meeting the performance- security 10 CFR 73.110 based regulatory approaches requirements framework Note: This staff-proposed rulemaking has been documented in a SECY and is with the Commission for review. More information on the rulemaking process is available at https://www.nrc.gov/about-nrc/regulatory/rulemaking/rulemaking-process.html.
7
Facility LevelEliminate potential adversary scenarios through facility design Draft Regulatory Function LevelEliminate or mitigate Guide - attack vectors through passive cybersecurity plan and defensive Three-Tier cybersecurity architecture elements (e.g., data diodes)
Analysis Approach System LevelUse active cybersecurity plan and defensive computer security architecture elements (e.g., intrusion detection systems) to protect against cyberattacks Note: This staff-proposed rulemaking has been documented in a SECY and is with the Commission for review. More information on the rulemaking process is available at https://www.nrc.gov/about-nrc/regulatory/rulemaking/rulemaking-process.html. 8
SECY-23-0021, Proposed Rule:
Risk-Informed, Technology-Inclusive Regulatory Framework for Advanced Reactors submitted to the Commission on March 1, 2023 for approval Future Work Continue to support draft Part 53 proposed rulemaking efforts including the cybersecurity requirements and regulatory guidance 9
10 ACRS Cybersecurity Research Brief Overview of staff research in support of advanced reactor cybersecurity engagement May 17, 2023
Presentation Outline
- Introduction
- Cybersecurity Research Goals and Drivers
- Research Approach
- Representative Research in Novel Technologies
- Wrap up
Introduction
- Novel techs are applicable to both operating and advanced reactors
- RES is proactively looking at these technologies to be ready for the future
- Selected projects are a subset of active research
Goals of RES Cybersecurity Research RES staff is performing anticipatory research to assist (and prepare) the NRC to meet potential technical and regulatory cybersecurity challenges within the nuclear domain.
RES staffs general goals are:
- Educate NRC staff
- Identify potential cybersecurity implications
- Develop awareness of/collaboration with government and nuclear industry (national and international) activities
Novel Technology Research Drivers Licensees are considering new technologies or novel technology implementations Change in attack surface, new attack vectors NSIR staff needs to understand associated cybersecurity issues Need to develop technical basis for licensing, guidance, and oversight Need for inspection tools
Novel Technologies for Todays Discussion
- FPGAs
- Autonomous Control ( w/ Remote Operations and Monitoring)
- AI/ML - Future Focused Research
- Wireless
Field Programmable Gate Array (FPGA)
Dr. Anya Kim Office of Nuclear Regulatory Research Division of Engineering Instrumentation, Controls, and Electrical Engineering Branch
Background on FPGAs
- Field Programmable Gate Arrays
- Can be customized for a specific application
- Hardware that can be reprogrammable
Research Purpose & Potential Insights
- Identify potential cybersecurity concerns with FPGAs for future nuclear applications
- Investigate whether FPGAs:
- Are inherently cyber secure
- Are not vulnerable to Internet cyber-attacks
- Assist NRC staff
Autonomous Control Technologies and Remote Operations and Monitoring Dr. Anya Kim Office of Nuclear Regulatory Research Division of Engineering Instrumentation, Controls, and Electrical Engineering Branch
Background on Autonomous Control
- What is Autonomous control Autonomous systems are able to perform their task and achieve their functions independently (of the human operator), perform well under significant uncertainties for extended periods of time with limited or nonexistent communication, with the ability to compensate for failures, all without external intervention (M. Endsley (2017), From Here to Autonomy: Lessons Learned From Human-Automation Research, Human Factors, 59(1))
- Capabilities: diagnosis, prognosis, planning, decision making, self-validation, etc.
- Enabling technologies
Research Purpose & Potential Insights
- Vendor/applicant interest in autonomous controls for NPPs
- Identify potential cybersecurity concerns with autonomous controls for NPPs
- Understand cyber implications of the enabling technologies:
- Remote Monitoring and Operations
- Digital Twins
- Artificial Intelligence and Machine Learning
Artificial Intelligence and Machine Learning Dr. Doug Eskins Office of Nuclear Regulatory Research Division of Engineering Instrumentation, Controls, and Electrical Engineering Branch
Background on AI/ML AI AI - ability to emulate human-like cognitive activities ML ML - subset of AI that uses data to learn without explicit programming Attractive ML model features: ML model issues:
Faster & less expensive Black box Difficult to explain More powerful & efficient Difficult to validate (VVUQ)
Applicable to new and integrated domains Highly dependent on data & training Only data-based (explicit domain knowledge not Non-deterministic required) Not fully representative of system states
AI/ML Research Motivation & Purpose Artificial intelligence and machine learning are emerging technologies critical to the current and future national and economic security of the United States*
AI-CyS Nuclear AI Nuclear AI-CyS
- DOE Office of Cybersecurity, Energy Security, and Emergency Response
Characterizing Nuclear Cybersecurity Using AI/ML Identify Develop Gather Develop &
Nuclear AI- Technical Experimental Document CyS Use Case Approach Data Insights Cyber Events Off Normal States Other Events Normal States Normal Operations
Wireless Technologies Dr. Doug Eskins Office of Nuclear Regulatory Research Division of Engineering Instrumentation, Controls, and Electrical Engineering Branch
Background on Wireless Wireless includes
- Wi-Fi, Bluetooth, Cellular, Zigbee, WirelessHART, GPS, RFID Safety components are deterministically isolated by
- Data diode & physical separation
- Prohibition of wireless
Wireless Research Motivation & Purpose Potential expanded use of wireless in nuclear power plants
- Monitoring & Control Cybersecurity insights from other safety critical applications Two Step Approach
- Review literature and related regulations/guidance on wireless applications
- Survey industry on the use of wireless in safety critical applications
Wireless Research & Insights Gained
- U.S. critical infrastructure industries do not use wireless for safety critical applications
- Technical Letter Report: Study of Wireless Technology Implementation in Isolated, High Consequence Networks (ADAMS Accession No. ML22180A008, publicly available)
Wrap Up
- These research topics are interrelated
- Potential additional research in the following areas:
- Parallel cybersecurity assessment during DI&C Upgrades
- Alternate approaches for verifying cybersecurity controls
- AI: Artificial Intelligence
- AI-CyS: AI and Cybersecurity
- CSP: Cybersecurity Plan
- DI&C: Digital Instrumentation and Controls
- DOE: Department of Energy
- EPRI: Electric Power Research Institute
- FPGA: Field Programmable Gate Array
- GPS: Global Positioning System
- ML: Machine Learning
- NPP: Nuclear Power Plant
- RFID: Radio Frequency Identification
- TAM: Technology Assessment Methodology
- VVUQ: Verification, Validation, and Uncertainty Quantification
- Wi-Fi: Wireless Fidelity
- WirelessHART: Wireless Highway Addressable Remote Transducer Protocol
Questions?
BACKUP SLIDES Novel Technology Research Approach Leverage Cyber Technical work of Challenges Security Letter DOE & and Gaps Insights Report others
Novel Technologies Background
- Licensees are considering the implementation of various technologies such as Field Programmable Gate Array (FPGA)-based systems, remote monitoring and operations, autonomous control system, and other technology-based systems [2]. NRC staff needs to understand the potential safety and security aspects of these technology implementations to evaluate whether they comply with NRCs cyber security regulations.
- Research assistance request (RAR) NSIR-2021-007, Cyber Security-Focused Overview of Novel Technology Implementations in Nuclear Power Plants was created to support NSIR staff in understanding the cyber security risks associated with these technology implementations as well as potential graded, and technology inclusive frameworks associated with the application of these technologies.
RES Approach to FPGAs
- Examine current work in this area
- Lots of research in cybersecurity issues of FPGAs
- Insights
- Not all are applicable to NPPs, but
- Some require physical presence, some are not realistic
- No explicit software, but...
- Design tools are software, now, even programming language can be SW
- IP Cores are reused (third party)
- Supply chain issues
- Different vendors have different set of security controls for their FPGA families
- Provide technical basis and inspector aids
- Take these insights and use them
Machine Learning Basics Model Development System Data Data Features Trained Model Feature Extraction Train, Test, Validate Model Deployment Trained Model Inputs Predicted Outputs Outputs Inferred Inputs
What are NRCs AI/ML related research objectives?
- FFR project investigating if AI/ML is useful for characterizing NPP cybersecurity states
- Participation of cybersecurity research staff in AI strategy group
- AI/ML Study Group (involves cybersecurity researchers)
- DT use of AI/ML as an enabling technology (future exercise of cybersecurity DT task?)
- Outreach to external entities, e.g., input to DOE-NE cybersecurity research plan (included AI/ML)
Experimental Event Type 1 Event Type 2 System Differentiation Malfunction Cyber Event Normal Issue Detected Detection AI/ML Systems Training, Test, &
Validation Data State Capture & Measurement Systems Plant System Data Plant Systems Representations Nuclear (OT) Cyber (IT)
Issue injection Issue Generation Systems Malfunction Cyber Event