NRC Cyber Security Policy &

Similar documents

A Regulatory Approach to Cyber Security

NRC Cyber Security Regulatory

U.S. NUCLEAR REGULATORY COMMISSION January 2010 REGULATORY GUIDE OFFICE OF NUCLEAR REGULATORY RESEARCH. REGULATORY GUIDE 5.71 (New Regulatory Guide)

Ask SME and Learn. NRC Cyber Security Oversight. Cyber Security Directorate

NEI [Rev. 6] Cyber Security Plan for Nuclear Power Reactors

Cyber Security for Nuclear Power Plants Matthew Bowman Director of Operations, ATC Nuclear IEEE NPEC Meeting July 2012

Cyber Security Evaluation of the Wireless Communication for the Mobile Safeguard Systems in uclear Power Plants

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C March 3, 2011

The U.S. Nuclear Regulatory Commission s Cyber Security Regulatory Framework for Nuclear Power Reactors

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C November 13, 2012

Options for Cyber Security. Reactors. April 9, 2015

Spreading the Word on Nuclear Cyber Security

Cynthia Broadwell, Progress Energy. William Gross, Nuclear Energy Institute

Cyber Security Design Methodology for Nuclear Power Control & Protection Systems. By Majed Al Breiki Senior Instrumentation & Control Manager (ENEC)

A Cost-Efficient Approach to High Cyber Security Assurance in Nuclear Power Plants

NUCLEAR REGULATORY COMMISSION. 10 CFR Part 73 [NRC ] RIN 3150-AJ37. Cyber Security Event Notifications

Cyber Security Considerations in the Development of I&C Systems for Nuclear Power Plants

Cyber Security R&D (NE-1) and (NEET-4)

The Anatomy of an Effective Cyber Security Solution: Regulatory Guidelines and the Technology Required for Compliance

REGULATORY GUIDE 5.29 (Draft was issued as DG 5028, dated May 2012) SPECIAL NUCLEAR MATERIAL CONTROL AND ACCOUNTING SYSTEMS FOR NUCLEAR POWER PLANTS

AN ANALYSIS OF TECHNICAL SECURITY CONTROL REQUIREMENTS FOR DIGITAL I&C SYSTEMS IN NUCLEAR POWER PLANTS

THE STATUS OF CYBER SECURITY IN NUCLEAR ENERGY

Security Requirements for Spent Fuel Storage Systems 9264

A DEVELOPMENT FRAMEWORK FOR SOFTWARE SECURITY IN NUCLEAR SAFETY SYSTEMS: INTEGRATING SECURE DEVELOPMENT AND SYSTEM SECURITY ACTIVITIES

A CYBER SECURITY RISK ASSESSMENT FOR THE DESIGN OF I&C SYSTEMS IN NUCLEAR POWER PLANTS

Designing Compliant and Sustainable Security Programs 1 Introduction

Integrating Cyber Security into Nuclear Power Plant Safety Systems Design

ABB s approach concerning IS Security for Automation Systems

United States Nuclear Regulatory Commission Office of Research Washington, DC

Executive Director for Operations AUDIT OF NRC S CYBER SECURITY INSPECTION PROGRAM FOR NUCLEAR POWER PLANTS (OIG-14-A-15)

i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

Federal Aviation Administration

REGULATORY GUIDE OFFICE OF NUCLEAR REGULATORY RESEARCH. REGULATORY GUIDE (Draft was issued as DG-1226, dated August 2009)

Session 9: 20 Questions You Should Answer About Your Cyber Security Readiness Jeff Thomas, Partner, KPMG Ivan Alcoforado, Senior Manager, KPMG

A Systems Approach to Protecting the U.S. Air Traffic Control System Against Cyber-Terrorism

Security for Independent Spent Fuel Storage Installations (ISFSI)

Cyber Security and Other Realities of Our Digital World Andy Dickson IT Director Nuclear Fleet Operations

NEI 06-13A [Revision 2] Template for an Industry Training Program Description

Security at San Onofre

Emergency Preparedness at Nuclear Power Plants

The Protection Mission a constant endeavor

SAFEGUARDS AND SECURITY FOR PROGRAM AND PROJECT MANAGEMENT

Building Insecurity Lisa Kaiser

abstract NRC Headquarters United States Nuclear Regulatory Commission

NEI 06-13A [Revision 0] Template for an Industry Training Program Description

Baseline Cyber Security Program

FREQUENTLY ASKED QUESTIONS

Proposal to Consolidate Post-Fukushima Rulemaking Activities

NICE and Framework Overview

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

NEI [Revision 2] Identifying Systems and Assets Subject to the Cyber Security Rule

Continuous Compliance for Energy and Nuclear Facility Cyber Security Regulations

Overview. FedRAMP CONOPS

Table of Contents CYBER SECURITY STRATEGIC PLAN VERSION 1.0

FUNDAMENTALS OF CYBER SECURITY FOR NUCLEAR PLANTS

Regulatory Guide Verification, Validation, Reviews, And Audits For Digital Computer Software Used in Safety Systems of Nuclear Power Plants

HANFORD TANK WASTE REMEDIATION SYSTEM PRIVATIZATION CO-LOCATED WORKER STANDARDS

OVERVIEW OF THE OPERATING REACTORS BUSINESS LINE. July 7, 2016 Michael Johnson Deputy Executive Director for Reactor and Preparedness Programs

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

REGULATORY GUIDE (Draft was issued as DG-1207, dated August 2012)

Accountability Model for Cloud Governance

Overview TECHIS Carry out risk assessment and management activities

Secure Network Design

REGULATORY GUIDE (Draft was issued as DG-1267, dated August 2012)

PUBLIC MEETING. details&code APPLICATIONS FOR NUCLEAR POWER PLANTS Regulatory Guide [Revision]

Roadmaps to Securing Industrial Control Systems

8070.S000 Application Security

National Information Assurance and Cyber Security Strategy (NIACSS) Jordan s Approach to National CS&IA

Oil & Gas Industry Towards Global Security. A Holistic Security Risk Management Approach.

Cybersecurity Framework. Executive Order Improving Critical Infrastructure Cybersecurity

Logical Operations CyberSec First Responder: Threat Detection and Response (CFR) Exam CFR-110

License Application Package Overview MOX Fuel Fabrication Facility 27 September 2006

PCI Solution for Retail: Addressing Compliance and Security Best Practices

Cybersecurity Risk Management Activities Instructions Fiscal Year 2015

High Level Cyber Security Assessment 2/1/2012. Assessor: J. Doe

Music Recording Studio Security Program Security Assessment Version 1.1

Subject: Critical Infrastructure Identification, Prioritization, and Protection

Building Security In:

Secure Remote Access Solutions Balancing security and remote access Bob Hicks, Rockwell Automation

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

Transcription:

Ask SME and Learn NRC Cyber Security Policy & Guidance Development Mario R. Fernandez Jr., Security Specialist (Cyber) Cyber Security Directorate Office of Nuclear Security & Incident Response 1

Agenda O i f B i R i t 10CFR 73 54 Overview of Basic Requirements 10CFR 73.54 Cyber Security Program Implementation Guidance Documents

NRC Cyber Security Program 10 CFR 73.1 Design Basis Threat Rule (2007) Cyber Attack 10 CFR 73.54 Protect those assets associated with SSEP functions from cyber attacks that: Adversely impact the integrity or confidentiality of data and/or software Deny access to systems, services, and/or data Adversely impact the operation of systems, networks, and associated equipment SSEP Functions SSEP Functions

10 CFR 73.54 High-level, Performance-Based, Programmatic FOCUS: Prevention of Radiological Sabotage Generic (i.e., not reactor-specific) Consistent with Physical Security Regulatory Approach 4

10 CFR 73.54 Basic Requirements 1. Identify Critical Digital Assets (CDAs) That Must Be Protected 2. Apply & Maintain a Defense-in-Depth Protective Strategy 3. Address Security Controls for each CDA 4. Mitigate against cyber attacks 5

10 CFR 73.54 Basic Requirements 4. Training commensurate with roles and responsibilities to facility personnel including contractors 5. Review the CSP as a component of the Physical Security Plan 6. Retain records and supporting technical documentation. 6

10 CFR 73.54 Requires submission of a Cyber Security Plan (CSP) and an implementation schedule for NRC review & Approval. All licensees submitted a CSP & an Implementation Schedule for NRC approval November 2009 Site-specific Processes and Criteria Describes the Cyber Security Program

Guidance Documents DG 5022/ Regulatory Guide (RG) 5.71 Cyber Security Programs for Nuclear Facilities (Jan 2010) NEI 08-09 Rev. 6 Cyber Security Plan For Power Reactors was found acceptable (April 2010)

RG 5.71 & NEI 08-09 09 CSP Template 1. Form a Cyber Security Assessment Team Define Roles & Responsibilities and form a Cyber Security Team (Cyber Security Incident Response Team) 9

RG 5.71 & NEI 08-09 09 CSP Template 1. Form a Cyber Security Assessment Team Build a Cyber Security Assessment Team 10

RG 5.71 & NEI 08-09 09 CSP Template 2. Identify Critical Systems (CSs) & Critical Digital Assets (CDAs) 11

RG 5.71 & NEI 08-09 09 CSP Template 3. Deploy Defensive Architecture Highest Security Levels hold safety, important to safety, security, and supporting systems/equipment 12

RG 5.71 & NEI 08-09 09 CSP Template 4. Apply/address Tailored Security Controls (147) for each CDA Access Controls Technical Audit & Accountability CDA/CS & Communication Protection Operational Management Identification and Authentication System Hardening Media Protection Personnel Security System & Information Integrity System/Service Acquisition Maintenance Security Assessment and Risk Management Physical & Environment Protections Defensive Strategy 13

RG 5.71 & NEI 08-09 09 CSP Template Conceptual Approach Cyber Security Assessment Team Identify Critical Digital Assets Apply Defensive Architecture Address Security Controls 1. Address each control for each CDA, or 2. Apply alternative measures, or 3. Explain why a control is N/A Safety CDAs Security CDAs Site LAN Corporate LAN 14

Conceptual Approach RG 5.71 & NEI 08-09 09 CSP Template Security Controls CDA Address each control: Authorized User CDA Use Only (1) Apply each control to each CDA (2) Apply alternative measure(s) in lieu of one or more controls (justify!) (3) If the security issue does not exist, then the security control is not applicable 15

RG 5.71 & NEI 08-09 09 CSP Template Defense-in-Depth Protective Strategies Strategy 1 - Incorporate protective security boundaries for timely detection and response against a cyber attack Strategy 2 - The application of security controls coupled with the physical program to detect, deter, respond and recover from a cyber attack Strategy 3 - Maintain the Cyber Security Program 16

CDA Safety CDAs Cyber Security Plan Conceptual Approach CDA Security CDAs Site Corporate LAN LAN 17

Cyber Security Plan Maintain the Cyber Security Program 18

Summary Overview of Basic Requirements 10CFR 73.54 Cyber Security Program Implementation 1. Establishing a Cyber Security Assessment Team 2. Identification of Critical Systems (CS) & Critical Digital Assets (CDAs) 3. Implementing a Defensive Architecture 4. Application of Security Controls 5. Maintaining the Cyber Security Program

Questions 20