NRC Cyber Security Policy &

Size: px

Start display at page:

Download "NRC Cyber Security Policy &"

Phoebe Short
9 years ago
Views:

1 Ask SME and Learn NRC Cyber Security Policy & Guidance Development Mario R. Fernandez Jr., Security Specialist (Cyber) Cyber Security Directorate Office of Nuclear Security & Incident Response 1

2 Agenda O i f B i R i t 10CFR Overview of Basic Requirements 10CFR Cyber Security Program Implementation Guidance Documents

3 NRC Cyber Security Program 10 CFR 73.1 Design Basis Threat Rule (2007) Cyber Attack 10 CFR Protect those assets associated with SSEP functions from cyber attacks that: Adversely impact the integrity or confidentiality of data and/or software Deny access to systems, services, and/or data Adversely impact the operation of systems, networks, and associated equipment SSEP Functions SSEP Functions

integrity or confidentiality of data and/or software Deny access to systems, services, and/or data

4 10 CFR High-level, Performance-Based, Programmatic FOCUS: Prevention of Radiological Sabotage Generic (i.e., not reactor-specific) Consistent with Physical Security Regulatory Approach 4

5 10 CFR Basic Requirements 1. Identify Critical Digital Assets (CDAs) That Must Be Protected 2. Apply & Maintain a Defense-in-Depth Protective Strategy 3. Address Security Controls for each CDA 4. Mitigate against cyber attacks 5

6 10 CFR Basic Requirements 4. Training commensurate with roles and responsibilities to facility personnel including contractors 5. Review the CSP as a component of the Physical Security Plan 6. Retain records and supporting technical documentation. 6

7 10 CFR Requires submission of a Cyber Security Plan (CSP) and an implementation schedule for NRC review & Approval. All licensees submitted a CSP & an Implementation Schedule for NRC approval November 2009 Site-specific Processes and Criteria Describes the Cyber Security Program

8 Guidance Documents DG 5022/ Regulatory Guide (RG) 5.71 Cyber Security Programs for Nuclear Facilities (Jan 2010) NEI Rev. 6 Cyber Security Plan For Power Reactors was found acceptable (April 2010)

9 RG 5.71 & NEI CSP Template 1. Form a Cyber Security Assessment Team Define Roles & Responsibilities and form a Cyber Security Team (Cyber Security Incident Response Team) 9

10 RG 5.71 & NEI CSP Template 1. Form a Cyber Security Assessment Team Build a Cyber Security Assessment Team 10

11 RG 5.71 & NEI CSP Template 2. Identify Critical Systems (CSs) & Critical Digital Assets (CDAs) 11

12 RG 5.71 & NEI CSP Template 3. Deploy Defensive Architecture Highest Security Levels hold safety, important to safety, security, and supporting systems/equipment 12

13 RG 5.71 & NEI CSP Template 4. Apply/address Tailored Security Controls (147) for each CDA Access Controls Technical Audit & Accountability CDA/CS & Communication Protection Operational Management Identification and Authentication System Hardening Media Protection Personnel Security System & Information Integrity System/Service Acquisition Maintenance Security Assessment and Risk Management Physical & Environment Protections Defensive Strategy 13

CDA/CS & Communication Protection Operational Management Identification and Authentication System Hardening Media

14 RG 5.71 & NEI CSP Template Conceptual Approach Cyber Security Assessment Team Identify Critical Digital Assets Apply Defensive Architecture Address Security Controls 1. Address each control for each CDA, or 2. Apply alternative measures, or 3. Explain why a control is N/A Safety CDAs Security CDAs Site LAN Corporate LAN 14

Controls 1. Address each control for each CDA, or 2.

15 Conceptual Approach RG 5.71 & NEI CSP Template Security Controls CDA Address each control: Authorized User CDA Use Only (1) Apply each control to each CDA (2) Apply alternative measure(s) in lieu of one or more controls (justify!) (3) If the security issue does not exist, then the security control is not applicable 15

Authorized User CDA Use Only (1) Apply each control to each CDA (2) Apply

16 RG 5.71 & NEI CSP Template Defense-in-Depth Protective Strategies Strategy 1 - Incorporate protective security boundaries for timely detection and response against a cyber attack Strategy 2 - The application of security controls coupled with the physical program to detect, deter, respond and recover from a cyber attack Strategy 3 - Maintain the Cyber Security Program 16

attack Strategy 2 - The application of security controls coupled with the physical program to

17 CDA Safety CDAs Cyber Security Plan Conceptual Approach CDA Security CDAs Site Corporate LAN LAN 17

18 Cyber Security Plan Maintain the Cyber Security Program 18

19 Summary Overview of Basic Requirements 10CFR Cyber Security Program Implementation 1. Establishing a Cyber Security Assessment Team 2. Identification of Critical Systems (CS) & Critical Digital Assets (CDAs) 3. Implementing a Defensive Architecture 4. Application of Security Controls 5. Maintaining the Cyber Security Program

20 Questions 20

A Regulatory Approach to Cyber Security

A Regulatory Approach to Cyber Security Perry Pederson Security Specialist (Cyber) Office of Nuclear Security and Incident Response U.S. Nuclear Regulatory Commission 1 Agenda Overview Regulatory Framework