Options for Cyber Security. Reactors. April 9, 2015



Similar documents
A Regulatory Approach to Cyber Security

Cyber Security Evaluation of the Wireless Communication for the Mobile Safeguard Systems in uclear Power Plants

NRC Cyber Security Regulatory

POLICY ISSUE INFORMATION

U.S. NUCLEAR REGULATORY COMMISSION January 2010 REGULATORY GUIDE OFFICE OF NUCLEAR REGULATORY RESEARCH. REGULATORY GUIDE 5.71 (New Regulatory Guide)

Spreading the Word on Nuclear Cyber Security

NRC Cyber Security Policy &

Cyber Security for Nuclear Power Plants Matthew Bowman Director of Operations, ATC Nuclear IEEE NPEC Meeting July 2012

PUBLIC MEETING. details&code APPLICATIONS FOR NUCLEAR POWER PLANTS Regulatory Guide [Revision]

2/22/2010. Cyber Security Industry Experiences. Regulatory Documents. Licensing History. NRC RIC Jack Roe NEI

NUCLEAR REGULATORY COMMISSION. 10 CFR Part 73 [NRC ] RIN 3150-AJ37. Cyber Security Event Notifications

Cyber Security R&D (NE-1) and (NEET-4)

The U.S. Nuclear Regulatory Commission s Cyber Security Regulatory Framework for Nuclear Power Reactors

REGULATORY GUIDE 5.29 (Draft was issued as DG 5028, dated May 2012) SPECIAL NUCLEAR MATERIAL CONTROL AND ACCOUNTING SYSTEMS FOR NUCLEAR POWER PLANTS

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C March 3, 2011

Cynthia Broadwell, Progress Energy. William Gross, Nuclear Energy Institute

How To License A Nuclear Plant

Proposal to Consolidate Post-Fukushima Rulemaking Activities

Backgrounder Office of Public Affairs Telephone: 301/

Cyber Security Considerations in the Development of I&C Systems for Nuclear Power Plants

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C November 13, 2012

DRAFT REGULATORY GUIDE

A CYBER SECURITY RISK ASSESSMENT FOR THE DESIGN OF I&C SYSTEMS IN NUCLEAR POWER PLANTS

REGULATORY GUIDE (Draft was issued as DG-1267, dated August 2012)

Security Requirements for Spent Fuel Storage Systems 9264

NUCLEAR REGULATORY COMMISSION. [Docket No ; NRC ] PPL Bell Bend, LLC; Combined License Application for Bell Bend Nuclear Power Plant

UNITED STATES NUCLEAR REGULATORY COMMISSION ADVISORY COMMITTEE ON REACTOR SAFEGUARDS WASHINGTON, DC July 17, 2012

OVERVIEW OF THE OPERATING REACTORS BUSINESS LINE. July 7, 2016 Michael Johnson Deputy Executive Director for Reactor and Preparedness Programs

NEI 06-13A [Revision 0] Template for an Industry Training Program Description

May 30, Commissioner Svinicki Commissioner Apostolakis Commissioner Magwood Commissioner Ostendorff

NEI [Rev. 6] Cyber Security Plan for Nuclear Power Reactors

AN ANALYSIS OF TECHNICAL SECURITY CONTROL REQUIREMENTS FOR DIGITAL I&C SYSTEMS IN NUCLEAR POWER PLANTS

Cyber Security Design Methodology for Nuclear Power Control & Protection Systems. By Majed Al Breiki Senior Instrumentation & Control Manager (ENEC)

ABA Section of Public Utility, Communications & Transportation Law Safety and Security in Transport

Integrating Cyber Security into Nuclear Power Plant Safety Systems Design

Announcement of a new IAEA Co-ordinated Research Programme (CRP)

Protect Your Assets. Cyber Security Engineering. Control Systems. Power Plants. Hurst Technologies

U.S. NUCLEAR REGULATORY COMMISSION STANDARD REVIEW PLAN. Organization responsible for the review of physical security

Nuclear Plant Information Security A Management Overview

A DEVELOPMENT FRAMEWORK FOR SOFTWARE SECURITY IN NUCLEAR SAFETY SYSTEMS: INTEGRATING SECURE DEVELOPMENT AND SYSTEM SECURITY ACTIVITIES

WHITE PAPER PROPOSED CONSEQUENCE-BASED PHYSICAL SECURITY FRAMEWORK FOR SMALL MODULAR REACTORS AND OTHER NEW TECHNOLOGIES

The Anatomy of an Effective Cyber Security Solution: Regulatory Guidelines and the Technology Required for Compliance

Executive Director for Operations AUDIT OF NRC S CYBER SECURITY INSPECTION PROGRAM FOR NUCLEAR POWER PLANTS (OIG-14-A-15)

An International Perspective on Security and Compliance

U.S. Nuclear Regulatory Commission Public Meeting Summary. November 6, 2015

The Objectives of this Rulemaking

CONCEPTS IN CYBER SECURITY

Cyber Security and the Canadian Nuclear Industry a Canadian Regulatory Perspective

Regulatory Guide Verification, Validation, Reviews, And Audits For Digital Computer Software Used in Safety Systems of Nuclear Power Plants

Regulatory Guide Configuration Management Plans for Digital Computer Software Used in Safety Systems of Nuclear Power Plants

Designing Compliant and Sustainable Security Programs 1 Introduction

abstract NRC Headquarters United States Nuclear Regulatory Commission

NUCLEAR REGULATORY COMMISSION

MDEP Generic Common Position No DICWG 02

NEI 06-13A [Revision 2] Template for an Industry Training Program Description

WordPerfect Document Compare Summary

A Cost-Efficient Approach to High Cyber Security Assurance in Nuclear Power Plants

DRAFT REGULATORY GUIDE DG-1154 (Proposed Revision 2 of Regulatory Guide 1.128, dated October 1978)

NRC REGULATORY ISSUE SUMMARY , REQUESTING QUALITY ASSURANCE PROGRAM APPROVAL RENEWALS ONLINE BY ELECTRONIC INFORMATION EXCHANGE

NORTH CAROLINA EASTERN MUNICIPAL POWER AGENCY SHEARON HARRIS NUCLEAR POWER PLANT, UNIT 1. Renewed License No. NPF-63

Interim Staff Guidance on Implementation of a Probabilistic Risk Assessment-Based Seismic Margin Analysis for New Reactors DC/COL-ISG-020

US-APWR Human Performance Monitoring Implementation Plan

Human Factors in Design and Construction Regulatory Perspective

NRC REGULATORY ISSUE SUMMARY , IDENTIFYING AND REPORTING SECURITY INCIDENTS UNDER 10 CFR PART 37

Sara Brock Counsel for NRC Staff

REGULATORY GUIDE (Draft was issued as DG-1207, dated August 2012)

How To Improve Safety At A Nuclear Power Plant

6898 Federal Register / Vol. 81, No. 26 / Tuesday, February 9, 2016 / Notices

NRC INSPECTION MANUAL

CHALLENGES OF CYBER SECURITY FOR NUCLEAR POWER PLANTS. Kwangjo Kim

REGULATORY GUIDE OFFICE OF NUCLEAR REGULATORY RESEARCH. REGULATORY GUIDE (Draft was issued as DG-1226, dated August 2009)

How To Write A Cyber Security Risk Analysis Model For Research Reactor

U.S. NUCLEAR REGULATORY COMMISSION STANDARD REVIEW PLAN

NUCLEAR REGULATORY COMMISSION. [Docket No ; NRC ] Texas Engineering Experiment Station/Texas A&M University System

AUDIT REPORT FOR LIFECYCLE PHASES ONE AND TWO DOCUMENTATION. VALIDATION RELATED TO PROTECTION AND SAFETY MONITORING SYSTEM and

United States Nuclear Regulatory Commission Office of Research Washington, DC

Defense in Depth Architecture of Server Systems for the Improvement of Cyber Security

APPENDIX B SUPPLEMENTAL INSPECTION PROGRAM A. OBJECTIVES AND PHILOSOPHY OF THE SUPPLEMENTAL INSPECTION PROGRAM

GAO. NUCLEAR REGULATION Regulatory and Cultural Changes Challenge NRC. Testimony

POLICY ISSUE NOTATION VOTE POLICY OPTIONS FOR MERCHANT (NON-ELECTRIC UTILITY) PLANT FINANCIAL QUALIFICATIONS

Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014

U.S. Nuclear Regulatory Commission. Customer Service Plan

AP1000 European 18. Human Factors Engineering Design Control Document

Industrial Security & Compliance Using the Holistic Lifecycle Model

Risk Management in Practice A Guide for the Electric Sector

POLICY ISSUE (Information)

December 5, 2013 VENDOR INSPECTION PROGRAM ANNUAL SELF-ASSESSMENT REPORT FOR FISCAL YEAR 2013

Overview TECHIS Carry out risk assessment and management activities

IAEA 2015 INTERNATIONAL CONFERENCE ON COMPUTER SECURITY IN A NUCLEAR WORLD

U.S. NUCLEAR REGULATORY COMMISSION STANDARD REVIEW PLAN. Organization responsible for the review of instrumentation and controls

October 22, 2015 EA

Cyber Security in a Nuclear Context

STANDARD REVIEW PLAN

HANFORD TANK WASTE REMEDIATION SYSTEM PRIVATIZATION CO-LOCATED WORKER STANDARDS

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, 0.C July 7, 2015

Wilfred C. LaRochelle Principal Nuclear Consultant HSB Global Standards, USA

December 22, Research and Test Reactor Branch A Division of Policy and Rulemaking Office of Nuclear Reactor Regulation

Cyber Security and Other Realities of Our Digital World Andy Dickson IT Director Nuclear Fleet Operations

Ask SME and Learn. NRC Cyber Security Oversight. Cyber Security Directorate

UNITED STATES NUCLEAR REGULATORY COMMISSION OFFICE OF NUCLEAR REACTOR REGULATION OFFICE OF NEW REACTORS WASHINGTON, DC

Transcription:

Options for Cyber Security Design Requirements for Power Reactors April 9, 2015

Scope Discuss options for including cyber security design requirements for power reactors into NRC regulations Scope does not include any other cyber security initiatives, such as the NEI petition for cyber security rulemaking -2-

Objective Provide an overview of potential options for including cyber security design requirements for power reactors into NRC regulations Solicit stakeholders feedback regarding the options for including cyber security design requirements -3-

Current Cyber Security Regulations & Guidance (1/2) (2005) NRC endorsement of NEI 04-04, 04, Cyber Security Program for Power Reactors (2009) Issuance of 10 CFR 73.54, Protection of Digital Computer and Communication Systems and Networks (2010) Publication of Regulatory Guide (RG) 5.71, Cyber Security Programs for Nuclear Facilities (2004) Publication of NUREG/CR-6847, Cyber Security Self- Assessment Method for U.S. Nuclear Power Plants -4-

Current Cyber Security Regulations & Guidance (2/2) (2010) NRC endorsement of NEI 08-09, Cyber Security Plan for Nuclear Power Reactors (2011) Publication of RG 1.152, Revision 3, Criteria For Use Of Computers in Safety Systems of Nuclear Power Plants. This revision deleted cyber security guidance under 10 CFR Part 50 to be consistent with programmatic requirements of 10 CFR 73.54 (2013) NRC endorsement of NEI 13-10, Cyber Security Control Assessments -5-

Current Regulatory Framework 10 CFR 73.54 provides programmatic requirements for licensees and COL applicants to protect digital computer and communication systems and networks against cyber attacks The current regulatory framework requires licensees and COL applicants to submit a cyber security plan to be reviewed by the NRC Licensees and COL applicants are not required to submit design information addressing cyber security requirements for NRC review For new reactors, the first opportunity for the NRC to inspect the implementation of the cyber security program is after the COL is issued This typically occurs long after the referenced design certification is completed -6-

ACRS Concerns (1/2) The Advisory Committee on Reactor Safeguards (ACRS) has raised concerns regarding control of access to plant equipment and networks The ACRS has stated that control of access to critical plant systems should be reviewed as part of design certifications and COL application reviews The ACRS has raised similar concerns regarding the licensing reviews of operating plant digital I&C upgrades -7-

ACRS Concerns (2/2) ACRS recommended uni-directional communication from Level 4 to Level 3, and from Level 3 to Level 2, to be enforced via a communication flow enforcement device (e.g., data diode) The design of this device would be reviewed during licensing A recommended approach that is described in RG 5.71 is shown below -8-

Design Certification Applicants Design certification applicants requested the NRC to review their cyber security design features as part of design certification application reviews GEH submitted ESBWR Cyber Security Program Plan AP1000 submitted the AP1000 PMS Computer Security Plan Aspects of both plans that addressed 10 CFR 73.54 were not reviewed since demonstrating compliance to 10 CFR 73.54 is the responsibility of the COL applicant. NuScale requested NRC review cyber security features as part of their design certification applications -9-

Benefits of Cyber Security Design Requirements (1/3) International nuclear power plant standards (e.g. IEC 62859) recommend that cyber security requirements be defined as early as possible in the system development lifecycle Consideration of cyber security early in the system development lifecycle can improve both a system s ability to resist a cyber attack, and limit the adverse consequences of a successful attack on the system -10-

Benefits of Cyber Security Design Requirements (2/3) Incorporation of cyber security controls as part of the development of I&C systems is currently a voluntary measure Since design certification applicants are not required to address cyber security, COL holders must address the requirements of CFR 73.54 during later stages If a vulnerability exists within the installed design, the licensee would have to either modify the system or implement compensatory measures to mitigate the vulnerability This is often less effective than developing a more secure and robust system that provides inherent protection against the vulnerability -11-

Benefits of Cyber Security Design Requirements (3/3) Cyber security design requirements could enable the NRC to review the applicant s/licensee s s proposed cyber security measures earlier in the licensing process Cyber security design requirements will provide an added level of regulatory assurance for new reactor designs and for new safety I&C systems to be installed in operating reactors COL holders and licensees would be able to reference the staff s safety evaluation on the cyber security design controls in their cyber security program -12-

Overview of Options: Option #1 Develop cyber security design requirements to complement the current programmatic cyber security regulations Applicable to DC and COL applicants, and licensees seeking approval of digital upgrades for safety and important to safety systems Applicable for systems that perform safety and important-to-safety functions Information demonstrating that cyber security controls were considered during the design of systems that perform safety and important-to-safety functions should be provided Results of cyber vulnerability assessments conducted for systems that perform safety and important-to- safety functions Information on how identified vulnerabilities are mitigated and the cyber security design control(s) used to mitigate the vulnerabilities -13-

Overview of Options: Option #2 Develop regulations to require technical controls for information flow enforcement in design Applicable to DC and COL applicants, and licensees seeking approval for digital upgrades for safety and important-to-safety systems Specific to the controls specified in Section B.1.4 of RG 5.71 (i.e., oneway, hardware-based data communication paths between Level 4 and Level 3, and between Level 3 and lower security levels of the cyber security defensive architecture) The intent of this option is to limit the design review to the control of information flow between the security levels of the cyber security defensive architecture -14-

No change to the existing cyber security program Overview of Options: Option #3 Continues the current practice verifying i the compliance of the licensees operational cyber security program via inspection without conducting a cyber security design review of systems that perform safety and important-to-safety functions -15-

Summary A SECY paper is being considered to propose options for including cyber security design requirements for power reactors into NRC regulations Intended to address concerns raised by the ACRS and Design Certification Applicants Three options are being considered: 1. Develop cyber security design regulations to complement the current programmatic cyber security regulations 2. Develop cyber security design regulations to require hardware-based controls for information flow enforcement 3. No action -16-

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information