The Anatomy of an Effective Cyber Security Solution: Regulatory Guidelines and the Technology Required for Compliance

The Anatomy of an Effective Cyber Security Solution: Regulatory Guidelines and the Technology Required for Compliance A Bentley White Paper Hilmar Retief, Product Manager AssetWise July 2011 www.bentley.com

The Situation While statistics that detail the number of fully analog, digital, or hybrid are unavailable, approximately 40 percent of the world s 439 nuclear power plants have made some level of digital I&C upgrade to important safety systems. Among the thousands of structures, systems, and components (SSC) that comprise a nuclear power plant, the component class relied upon most for protection, control, monitoring, and supervision is instrumentation and control (I&C) components and systems. A typical unit has approximately 10,000 sensors and detectors and 3,000 miles of instrumentation cables. In total, the mass of I&C components averages approximately one thousand tons. Next to buildings and structures, I&C represents the heaviest and most extensive infrastructure in any plant. While statistics that detail the number of fully analog, digital, or hybrid are unavailable, approximately 40 percent of the world s 439 nuclear power plants have made some level of digital I&C upgrade to important safety systems. Ninety percent of all the digital I&C installations performed were modernizations of existing reactors, while 10 percent were at new reactors. Moreover, all of the 34 reactors currently under construction worldwide have some digital I&C components in their control and safety systems. 1 The Evolution of Cyber Security at Nuclear Power Plants In the past, nuclear power plant I&C and information systems were deemed less vulnerable to cyber attacks because they were isolated from external communication systems. But recently, a number of issues have caused plant operators to pay closer attention to their plants cyber attack readiness. Among these issues are: The advent of digital control systems (DCS), Past near-misses related to inadvertent connectivity between outside communication systems and plant control systems (supervisory control and data acquisition/scada), Comments from high profile cyber security experts, including General Keith Alexander, director of the National Security Agency (NSA) and head of Cybercom, the United States new cyber security command, who issued a warning recently of massive increases in the number of attempts by hackers and foreign countries to breach the nation s Internet security. What started as annoying virus and malware attacks by amateur hackers and disgruntled employees against computers and networks has morphed into worldwide penetration by criminal enterprises and state-sponsored terrorists. In response, the National Institute of Standards and Technology (NIST) issued SP 800-73 2 and SP 800-53 3. During this period, the Nuclear Energy Institute (NEI), in response to 10CFR73.54 and in conjunction with RG 5.71 4 refined the NIST guidelines to suit the nuclear industry. As a result, NEI issued NEI 08-09, an implementation of 1 SP Instrumentation and Control (I&C) Systems in Nuclear Power Plants: A Time of Transition. 2 SP 800-73 -3 Feb. 2010, Interfaces for Personal Identity Verification (4 Parts) 3 SP 800-53 Rev. 3 Aug 2009, Recommended Security Controls for Federal Information Systems and Organizations 4 RG 5.71 Jan 2010, Cyber Security Programs for Nuclear Facilities 2

SCM cannot be successfully maintained in isolation. It is, by definition, embedded in the entire asset lifecycle and must form part of the fundamentals that make up an organization s asset lifecycle information management (ALIM) policy. the NIST guidelines specifically for nuclear power plants. NEI 08-09 identifies a subset of SSC, referred to as safety, security, and emergency planning (SSEP) components, as the primary focus of securing digital plant assets. Security Configuration Management Security Configuration Management (SCM) is the management and control of configurations for an information system with the goal of enabling security and managing risk. 5 SCM forms part of the general configuration management process. This continuous process is meant to maintain the initial investment in a security configuration (i.e. cyber security program) and requires ongoing investment in time, resources, and appropriate management support to ensure ongoing security and ROI. SCM cannot be successfully maintained in isolation. It is, by definition, embedded in the entire asset lifecycle and must form part of the fundamentals that make up an organization s asset lifecycle information management (ALIM) policy. Why is SCM important? SCM embedded in ALIM protects systems, networks, and organizations from unauthorized, unanalyzed, and untested changes that make them vulnerable to a wide range of threats. In addition, SCM: Facilitates asset management, Improves incident response and problem solving, Helps with plant engineering design change processes, Enables process automation, Supports compliance with policies and preparation for audits, Is vital to the establishment and maintenance of information security and the security of information systems. Risk Management Framework NIST guidelines related to cyber security are centered on the risk management framework (RMF). RMF is defined as a risk-based approach to security control selection and specification [which] considers effectiveness, efficiency, and constraints due to applicable laws, directives, executive orders, policies, standards, or regulations. 6 The activities depicted in Figure 1, relating to managing organizational risk (also known as the risk management framework), are paramount to an effective information security program. It can be applied to new and legacy information systems within the context of the system development lifecycle and the enterprise architecture. 5 The Importance of Configuration Management in Building Effective Security Programs, Government Technology Research Alliance (GTRA) Council 6 NIST, risk management framework (RMF) Overview, http://csrc.nist.gov/groups/sma/fisma/framework.html 3

Figure 1 Risk Management Framework, NIST NIST describes the risk management framework in a series of steps: Categorize During the categorize step, the criticality and sensitivity of the information system is identified based upon potential adverse and worst-case conditions. Other activities include determining information types, overall system impact level, and organization and system-level risk assessment 7, including: Identification and documentation of critical systems (CS), which must be protected under the cyber security rule(s) Identification and documentation of critical digital assets (CDAs) Identification of the digital devices that provide direct or supporting roles in the function of the critical system (e.g., protection, control, monitoring, reporting, or communications) Identification of CDAs within the critical system Select The RMF applicable security controls are selected based on risk assessment. This step tailors and supplements the configuration management family of controls in addition to defining a baseline control structure. This baseline security control set led to the creation of the nuclear controls described in appendix E of NEI 08-09. While NEI-identified controls are very similar to the NIST 800-53 Appendix F controls, they are uniquely adapted with regard to guidance and supplemental controls, as identified during the risk assessment. Implement This step relates to selecting effective security settings that reduce risks and protect systems from attacks. Security controls are associated with previously identified CDAs. The association is done during the assessment stage of a cyber security project. Subsequent changes to the CDA must continue to comply with the security control. 7 (10 CFR 73.54(b)(1) and 10 CFR 73.55(b)(4)). 4

Assess The assessment of the security controls is accomplished using appropriate methods and procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements of the system. Authorize In this step the facility must authorize information system operation based upon a determination of acceptable risk to organizational operations, organizational assets, or to individuals, resulting from the operation of the information system. Monitor The monitoring and assessment of selected security controls in the information system is ongoing. It includes documenting changes to the system, conducting security impact analyses of the changes, and reporting the security status of the system to appropriate organization officials on a regular basis. The RMF outlines a robust process for cyber security with many benefits, including: Promoting the concept of near real-time risk management and ongoing information system authorization through the implementation of robust continuous monitoring processes; Encouraging the use of automation to provide senior leaders the necessary information to make cost-effective, risk-based decisions with regard to the organizational information systems supporting their core missions and business functions; Integrating information security into the enterprise architecture and system development lifecycle; Providing emphasis on the selection, implementation, assessment, and monitoring of security controls, and the authorization of information systems; Linking risk management processes at the information system level to risk management processes at the organization level through a risk executive (function) Establishing responsibility and accountability for security controls deployed within organizational information systems and inherited by those systems (i.e., common controls). NEI Fundamentals for Nuclear Power Plant Cyber Security NEI 08-09 identifies the High Assurance of Protection as the primary focus of the guideline. It is based on two main tenets: 1. Implementing and documenting the baseline cyber security controls; 2. Implementing and documenting a cyber security program to maintain the established cyber security controls through a comprehensive lifecycle approach, known as asset lifecycle information management (ALIM). 8 8 Sid Snitkin & Bob Mick, ARC Advisory Group, January 2010, Information Management Strategies for Asset Lifecycle Management 5

Recommended Criteria for Cyber Security Technology ALIM, at its most basic, manages change and controls information throughout the life span of infrastructure, ensuring the delivery of relevant, trusted information, in context, where and when it is needed. Effective ALIM technology links interrelated data to enable change impact analysis. Cyber security information is spread throughout a nuclear facility or fleet, and effective methods for managing and maintaining its security must reach across many data repositories, disciplines, and enterprise systems. It is this complexity that makes it necessary for an effective cyber security solution to be built within the scope of an overall ALIM strategy. ALIM, at its most basic, manages change and controls information throughout the life span of infrastructure, ensuring the delivery of relevant, trusted information, in context, where and when it is needed. Effective ALIM technology links interrelated data to enable change impact analysis. It is inevitable, due to the nature of cyber security threats, that multiple departments, skills, and disciplines will become involved in the day-to-day process of assessing and maintaining cyber controls in the context of the assets that they affect. While there will be slight variations among organizations, cyber security controls will typically require capabilities in the following categories: Information modeling and classification for security control catalog Configuration management Change control and impact analysis Requirements management Component inventory/master equipment list management Knowledge management and training Records management Corrective action In this section the primary focus is on the monitor step as defined in the risk management framework. The ongoing monitoring process includes 9 : Configuration management of CDAs, Cyber security impact analyses of changes to the CDAs or their environment(s) to ensure that implemented cyber security controls are performing their functions effectively, Ongoing assessments to verify that the cyber security controls implemented for CDAs remain in place throughout the lifecycle of the CDA, Verification that rogue assets are not connected to the network infrastructure. Security Control Catalog One of the first activities in setting up a cyber security program is the definition of a security control catalog. Categorizing, selecting, and implementing the steps of the risk 9 NIST 800-37 rev 1 6

management framework require licensees to categorize types of information, digital assets, and critical digital assets as part of the initial assessment process. In the select step, the licensee selects applicable controls to populate the security control catalog. For nuclear installations, NEI 08-09 provides a template that derives from the catalog provided in NIST 800-53 Appendix F. Lastly, during the implement step a CDA is assessed based on various criteria, including risk, application, and integration, and then associated with the security control to which it applies. This implement phase concludes with the documented security baseline, which is to be maintained going forward as part of a well-defined configuration management process. The security control catalog is a subset of the overall site requirements. It is managed using the tool s requirements management capability, which will be discussed later in this document. Configuration Management and Change Control Configuration management and change control is mandated in cyber security guidelines, including NIST, NEI, and critical infrastructure protection (CIP). These require the licensee to identify the procedure or software to be used to maintain the cyber program. As a part of the configuration management process, cyber security tools employ manual or automated mechanisms to maintain an up-to-date, complete, accurate, and readily-available baseline configuration of CDAs. The up-to-date baseline configurations are documented and the configurations are audited every 92 days. 10 Change Management For cyber security tools to comply with the NIST and NEI guidelines, and to show return on investment for technologies applied, proper configuration change control mechanisms must be inherently and fundamentally part of the software. Change management features must include: Authorization and documentation of changes to CDAs, Retention and records review of CDA configuration changes, and an audit of activities associated with CDA configuration changes, Mechanisms to document changes to CDAs and notify designated approval authorizes, A method to prohibit implementation of changes until designated approvals are received and documented. 10 NEI 08-09 Rev 6 7

A further requirement of cyber security guidelines mandates that all changes be documented and designated as records. The documentation elements for baseline configurations, again inherent to cyber security tools, include: A log of configuration changes made The name of the person who implemented the change The date of the change The purpose of the change Observations made during the course of the change The Code of Federal Regulations (CFR) further mandates that modification to CDAs be evaluated for their cyber security impact prior to implementation in order to achieve High assurance that digital computer and communications systems and networks are adequately protected against cyber attacks up to and including design basis threats. 11 With cyber security tools that include configuration and change control as part of their core functionality, this requirement is satisfied implicitly. Plant modifications are just extensions of the change process and fully incorporate the change control characteristics defined above. Impact analysis is the ability to easily access a report or dataset that will reveal systems, assets, documents, programs, etc., that are directly, indirectly, and potentially affected by a configuration change. Impact Analysis Impact analysis is the ability to easily access a report or dataset that will reveal systems, assets, documents, programs, etc., that are directly, indirectly, and potentially affected by a configuration change. The result of the impact analysis is then used to ensure that all possible effects, seen and unseen, are taken into account before the change is allowed to be implemented. Traditionally an impact analysis report is generated through countless hours of research, word searches, and tacit knowledge hidden in the minds of experienced engineers. An ALIM cyber security tool greatly lessens the burden of creating this report, by leveraging relationships between information objects such as assets, documents, processes, and programs. These relationships are created as part of the ALIM process, which is an essential characteristic of proper cyber security software. To be most effective, cyber security impact analysis is performed prior to making a design or configuration change to a CDA, or when changes to the environment occur. Interdependencies of other CDAs or support systems are evaluated, documented, and incorporated into the cyber security impact analysis. 12 These impact analyses are performed as part of the change approval process to assess the impacts of the changes on the cyber security state of CDAs and systems that can affect SSEP functions. The security impact assessment is performed and documented as part of the change approval process. 11 (10 CFR 73.54(a)(1) and 10 CFR 73.54(d)(3)) 12 NEI 08-09 Rev 6, Security Control 10.5 8

Requirements definition is a critical part of any system development process and begins very early in the life cycle, typically in the initiation phase... Requirements Management Requirements definition is a critical part of any system development process and begins very early in the life cycle, typically in the initiation phase. Security requirements are a subset of the overall functional and nonfunctional (e.g., quality, assurance) requirements levied on an information system and are incorporated into the system development life cycle simultaneously with the functional and nonfunctional requirements. Without the early integration of security requirements, significant expense may be incurred by the organization later in the life cycle to address security considerations that could have been included in the initial design. When security requirements are considered as an integral subset of other information system requirements, the resulting system has fewer weaknesses and deficiencies, and, therefore, fewer vulnerabilities that can be exploited in the future. 13 A requirements management capability is a key feature of cyber security tools. The catalog of security controls identified in the NIST (NIST 800-53 App F) and NEI (NEI 08-09 App E) guidelines are a subset of the larger set of requirements governing site and plant implementations. Other well-known requirements include the design basis documentation, license basis, environmental qualification, and many more. Once the cyber security control catalog is fully documented in the tool, it s critical that the affected CDA belonging to the security controls is easily identified in order to efficiently maintain and monitor changes, as well as any resulting configuration control activities. Ideally these security controls will be identified during the impact analysis phase, prior to the approval of any changes to affected CDA. Another critical feature of security control maintenance as part of the requirements management capability is the properly managed and controlled change processes for the controls or requirements. Changes to the controls, although probably less frequent than to the CDA, still need the same rigor and report capability. These include: A log of configuration changes made The name of the person who implemented the change The date of the change The purpose of the change Changing the security controls also requires scrutiny of the impact analysis to determine if a change to the security control alters the assessment result, based on the previous revision of the control. Training Adhering to cyber security guidelines implies training programs are established, implemented, and documented for personnel performing, verifying, or managing activities within the scope of the program. This assures that suitable proficiency is achieved and maintained. 14 An ALIM cyber security tool provides the capability to create a qualification matrix. 13 NIST 800-37 r1 14 NEI 08-09 Rev 6, Security Control 4.8 9

With the help of this matrix, personnel qualifications are cross referenced to their permissions and skills insofar as it affects their ability to interact with plant operations such as creating, or participating in plant modifications, approving component configurations, etc. The qualification matrix will ensure that cyber-security-related technical training certifications are complete or up to date. Personnel must have the proper cyber-security training credentials: Before authorizing access to CDAs or performing assigned duties When required by policy or procedure changes and plant modifications Retraining of plant personnel is required every year 15 to mitigate risk and maintain skills. A fully featured ALIM cyber security tool provides notifications to plant personnel before they lose their credentials. Component Inventory In order to intelligently and seamlessly integrate security control and the critical digital assets that affect them, cyber security tools must have a component inventory capability. This list is also referred to as the master equipment list. The component inventory must have the following properties as it pertains to cyber security: 16 Reflect the current system configuration, Establish that the location (logical and physical) of components is consistent with the authorized boundary of the CDA, Provide the proper level of granularity deemed necessary for tracking and reporting, and deemed necessary to achieve effective property accountability, Update the inventory of system components as an integral part of component installations and system updates, Employ mechanisms to maintain an up-to-date, complete, accurate, and readily available inventory of system components, Employ automated mechanisms to detect the addition of unauthorized components/devices, and disable access by such components/devices or notify designated officials, Include site licensee documents that provide the names or roles of the individuals responsible for administering those components. Ideally, the cyber security component inventory isn t yet another data silo, but is rather a subset of the plant master equipment list. This allows maintainers of CDA change processes to always have the complete set of assets available for assessment, taking into account that some changes may update, for example, analog components to digital components. Silos of data, separating CDA from the rest of the component population, could easily cause a change to go unnoticed, putting the cyber security program at risk. 15 NEI 08-09 Rev 6, Security Control 8.3 16 NEI 08-09 Rev 6, Security Control 10.9 10

Knowledge Management Even with ample guidance provided by NIST, NEI, and CIP, and the creation of operating procedures that will mandate employees to follow specific, tested, and approved procedures, there will always be an occasion when employees will rely on experience and hearsay. In general, employees don t necessarily choose to NOT follow established procedures, but rather these employees over time and through experience have found better ways to do their jobs. Through this experience they gathered undocumented tacit knowledge by applying tricks of the trade. Unfortunately this tacit knowledge is often far more efficient and detailed than any documented procedure, because it is more situationally specific and takes into account many nuanced effects that could not have been foreseen when the operating procedure was written. Tribal knowledge is created when this tacit knowledge is shared from one employee to another. The cyber security toolset should include a repository in which knowledge is gathered, validated, and approved. This forms an interactive knowledge base of incidents, operating experience, lessons learned, and more, all contributing to the organization s body of knowledge in dealing with cyber security. Tribal knowledge, while often leading to better, more efficient work practices, is by its very definition undocumented, and as a result makes the organization dependent on these subject matter experts. In addition, by not following a structured process for consuming this information, a lack of rigor can occur. For these reasons it is important not just in general, but specifically to maintain the cyber security investment to have a program in place that will capture, validate, and approve this tacit knowledge. This enables others to learn from it in a structured format and ultimately operating procedures to be updated in order to reflect this valuable information. The cyber security toolset should include a repository in which knowledge is gathered, validated, and approved. This forms an interactive knowledge base of incidents, operating experience, lessons learned, and more, all contributing to the organization s body of knowledge in dealing with cyber security. As more knowledge items are added over time, this knowledge library improves the capability of the organization to defend itself against detrimental cyber attacks, by improving the awareness of all employees to cyber threats. Records Management All phases of cyber security management involve records management. This includes: Documenting key observations, analyses, and findings during the assessment process, Transmitting assessment documentation, including supporting information, to records management in accordance with 10 CFR 73.54(h), Documenting how each of the technical cyber security controls were addressed for each CDA, Keeping records that are generated in the establishment, implementation, and maintenance of the cyber security program, 15 NEI 10 CFR 73.54(d)(2) and 10 CFR 73.55(b)(10) 16 NEI 08-09 Rev 3 11

Recording when digital assets are added or modified, Keeping records and supporting technical documentation required to satisfy the requirements of the security controls, Document control is an established and mandated requirement of all nuclear facilities. Creating and maintaining a cyber security plan leverages this capability and requires that all important milestones in the creation and maintenance of the plan are documented and transmitted to the records control system. Having an integrated document and records management capability as part of the cyber security tool is most convenient, but since operating facilities most likely have a designated records management system, it is important to ensure that the cyber security tool easily and seamlessly integrates with the records management system. This allows users to submit and extract documentation easily, knowing that they always have the latest and most recently approved revision. Quality Assurance (Corrective Action) A site condition reporting and corrective action system is used to Track, trend, correct, and prevent recurrence of cyber security failures and deficiencies Evaluate and manage cyber risks 17 Cyber-security-related issues are identified and addressed during the change management process, and therefore are not handled by a corrective action program. Adverse conditions identified after the modification is implemented are entered into the site corrective action program. 18 During the initial and periodic assessments, assets are evaluated against the industry security controls as defined in NIST 800-53 and NEI 08-09. In most cases, these observations will result in an assessment indicating to what degree the asset complies with the intent of the security control. In cases where the asset is deemed to be exposed to cyber risks, tangible actions are required to address and correct the deficiency. This is where the station condition report and corrective action program is relied upon to document the problem or threat, identify the asset(s), and propose a corrective action to resolve or eliminate the threat. Corrective action could be a response to an assessment or could be initiated from an observation made during the change processes discussed earlier. A Solution is Available Now Bentley Systems has developed technology that addresses the enterprise information management goals of the industry with best practice applications developed to support industry regulatory guidelines. Its eb product is an ALIM platform that includes an integrated suite of applications specific to the nuclear industry. eb offers a unique blend of enterprise content management (ECM) and a four-star certified configuration 17 10 CFR 73.54(d)(2) and 10 CFR 73.55(b)(10) 18 NEI 08-09 Rev 6 Section 4.4.2 12

Bentley Systems has developed technology that addresses the enterprise information management goals of the industry with best practice applications developed to support industry regulatory guidelines. management platform that provides robust solutions ideal for facilities with rapidly changing, mission-critical operational information operating in highly regulated industries. In addition, it offers: platform that provides robust solutions ideal for facilities with rapidly changing, mission-critical operational information operating in highly regulated industries. In addition, it offers: a modern multi-tier, service-oriented architecture based on Microsoft technology; the platform provides scalability, flexibility, rapid application development, and simplified integration with other systems; the unique ability to manage information in context by linking (associating) events, documents, records, and actions with assets, people, knowledge, skills, processes, projects, functions, surveys, and behaviors; this capability creates a multi-dimensional contextual framework that delivers complete and accurate information on demand; industry best practices in the implementation of a cyber-security program as well as information management, design engineering, compliance, knowledge management, performance improvement, and training (see Figure 2). Moreover, Bentley has unparalleled knowledge of and commitment to the nuclear market. Figure 2 Bentley s eb offering includes an unparalleled nuclear application suite. The eb solution is workflow-driven and the cyber security application includes the following workflows: Cyber security initial and periodic assessments»» Initial assessments include -- Site assessments, including common controls -- SSEP identification (system level) of critical systems and investigation of whether each meets the requirements for containing digital assets -- CDA individual asset assessments (identified during SSEP identification 13

Cyber-security-related general and training observations Benchmarking Focused self-assessment Station and INPO operating experience, including dashboard reports showing key performance indicators in real time Knowledge management Design engineering, including cyber security affected modifications Cyber Security and Performance Improvement Cyber security standards, measures, principles, and implementation tools are fully incorporated into the cyber security program to eliminate events caused by cyber attacks by applying a defense-in-depth concept. This is implemented within eb by the collection of cyber-security-related data in all aspects of the workflows discussed above. The integrity of the data mined from eb provides the detail and quality to improve cyber security compliance across the enterprise. The administration of a cyber security program includes working with department managers to maintain a schedule of self-assessments and benchmarking efforts for the program. In execution, this means collecting, trending, and analyzing observation, selfassessment, and benchmarking data associated with initial and periodic cyber security assessments. This is followed by performance reporting as well as the identification of adverse trends in cyber security application at the station. From the accountability standpoint, performance is tracked at the site, department, section, and crew levels. Figure 3 Bi-directional relationships between modeled objects in eb. 14

Within eb, relationships can be established for all workflows between the event and related locations, documents, maintenance work orders, other events (condition reports), plant systems, components, and causal departments. These relationships are bidirectional (see Figure 4). In cyber security management, data may be used to answer the following questions: Is that security control applicable, and to what components and systems does it apply? What security controls are applicable to this component? If this modification is implemented, what security controls are still applicable and what others are no longer applicable? In a similar way, all system data in eb are tied together using object relationships. This provides management capabilities never before seen in the nuclear industry, or in any other industry. Today it is possible to implement a fully integrated process that meets and exceeds industry oversight guidelines. eb cyber security capabilities are aligned with industry guidelines. The Outcome Today it is possible to implement a fully integrated process that meets and exceeds industry oversight guidelines. eb cyber security capabilities are aligned with industry guidelines. Management is continuously involved in cyber security processes, review, and approval of plant modifications, and cyber security deviations and waivers. Corrective actions can occur quickly because the database is live. In addition, staff can see what is coming to them when work items are placed in an inbox. Knowledge and skills (and specific behaviors) can be addressed by the emerging knowledge management process. This process creates self-assessments and data decision support. Self-assessments evaluate skill levels and determine how much knowledge loss, if any, will result as an increasing number of employees approach retirement. Knowledge transfer evaluates the effectiveness of maintaining and improving employee knowledge and skill level. Culture is monitored using the survey feature for safety culture, and employee surveys can be administered to collect data on cultural elements. Surveys allow for the collection of relevant data for any purpose. Excellence in cyber security is achieved through comprehensive process design and diligent management oversight. Performance Monitoring All areas listed below are identified by industry guidelines as key performance monitoring requirements, and are managed through the eb performance improvement application and/or key performance indicators (KPIs) pulled from the eb database (cyber assessment, performance assessment, performance indicators, benchmarking, self-assessments, industry operating experience, behavior observations, problem reporting, standards, and trending). Gaps are primarily identified, validated, and trended for corrective and preventative action. The following are examples of performance monitors. 15

Cyber security assessments Performance assessment/trending Performance indicators Benchmarking Self assessments Industry operating experience Behavior observations Problem reporting Effectiveness reviews Analyzing, Identifying, and Planning Solutions Because of the comprehensive linking of objects at the core of the eb functionality, eb can perform global extent of condition (generic implications) with speed and accuracy. Management receives KPIs describing overall performance based on a composite index of cyber security related performance factors. This allows management to address risk factors based on well-established facts. Doing Even More With Data in Context Knowledge management enables reuse and leverages the knowledge base through data collected in eb. For example, eb connects to a report writing tool that configures information and inputs it to a site business director. This capability shows all of the items that need improvement, so that they can be incorporated into future business plans. In addition, business plan items may be assigned using the corrective action workflow, enabling a single list for driving both types of work. Another knowledge management example employs the flexible survey capability of eb to build additional features supporting knowledge transfer and knowledge retention with the following objectives: Develop a strategic approach and action plan to address potential loss of knowledge, and institutionalize this process for operational sustainability; Provide the process and tools for conducting risk assessments to determine the potential loss of knowledge, especially undocumented knowledge, caused by the retirement of experienced employees; Identify areas of vulnerability due to the lack of documented processes or procedures; Use previously captured knowledge to improve the skills of new and existing employees 16

Proof Under Stress In essence, the SNPM is a process model for safe, reliable, and economically competitive nuclear power generation. Bentley has architected and implemented eb to be a proactive, fully integrated, self-contained, and self-supporting system that provides robust feedback to management processes. The safety culture issue can become quite complex in analysis. The NRC defines safety culture as that assembly of characteristics and attitudes in organizations and individuals, which establishes that, as an overriding priority, nuclear plant safety issues receive the attention warranted by the significance. The 13 components of NRC safety culture are: 1. Decision Making 2. Resources 3. Work Control 4. Work Practices 5. Corrective Action Program 6. Operating Experience 7. Self and Independent Assessments 8. Environment for Raising Nuclear Safety Concerns 9. Preventing, Detecting, and Mitigating Perceptions of Retaliation 10. Accountability 11. Continuous Learning Environment 12. Organizational Change Management 13. Safety Policies Bentley s eb products can provide NRC and other industry oversight organizations with relevant data aligned to their specific criteria. Conclusions Operational excellence drove the U.S. nuclear industry to develop and refine the SNPM, as well as related cyber security and performance improvement guidelines. In essence, the SNPM is a process model for safe, reliable, and economically competitive nuclear power generation. Bentley has architected and implemented eb to be a proactive, fully integrated, self-contained, and self-supporting system that provides robust feedback to management processes. This represents a huge leap forward and has significant benefit potential for the entire nuclear industry. 17

Works Cited Instrumentation and Control (I&C) Systems in Nuclear Power Plants: A Time of Transition. (n.d.). Meeting, G. C. (n.d.). The Importance of Configuration Management in Building Effective Security Programs. NIST. (n.d.). NIST 800-37. NIST. (n.d.). NIST 800-53 Revision 3. Snitkin, S. (n.d.). Asset Lifecycle Information Management: Managing Performance accross the Asset Lifecycle. ARC Strategies. Stout, J. M. (n.d.). The Inevitability of International Cyber Attacks Are We Ready? 2011 Bentley Systems Incorporated. Bentley, and the B Bentley logo are either registered or unregistered trademarks or service marks of Bentley Systems, Incorporated, or one of its direct or indirect wholly-owned subsidiaries. Other brands and product names are trademarks of their respective owners. DAA039730-1/0001 18