A Regulatory Approach to Cyber Security

Similar documents
NRC Cyber Security Policy &

NRC Cyber Security Regulatory

Options for Cyber Security. Reactors. April 9, 2015

U.S. NUCLEAR REGULATORY COMMISSION January 2010 REGULATORY GUIDE OFFICE OF NUCLEAR REGULATORY RESEARCH. REGULATORY GUIDE 5.71 (New Regulatory Guide)

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C March 3, 2011

Cyber Security R&D (NE-1) and (NEET-4)

Spreading the Word on Nuclear Cyber Security

Cyber Security Evaluation of the Wireless Communication for the Mobile Safeguard Systems in uclear Power Plants

The U.S. Nuclear Regulatory Commission s Cyber Security Regulatory Framework for Nuclear Power Reactors

Cyber Security for Nuclear Power Plants Matthew Bowman Director of Operations, ATC Nuclear IEEE NPEC Meeting July 2012

Cynthia Broadwell, Progress Energy. William Gross, Nuclear Energy Institute

Cyber Security Considerations in the Development of I&C Systems for Nuclear Power Plants

Executive Director for Operations AUDIT OF NRC S CYBER SECURITY INSPECTION PROGRAM FOR NUCLEAR POWER PLANTS (OIG-14-A-15)

Security Requirements for Spent Fuel Storage Systems 9264

abstract NRC Headquarters United States Nuclear Regulatory Commission

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C November 13, 2012

NEI [Rev. 6] Cyber Security Plan for Nuclear Power Reactors

Ask SME and Learn. NRC Cyber Security Oversight. Cyber Security Directorate

A Cost-Efficient Approach to High Cyber Security Assurance in Nuclear Power Plants

NUCLEAR REGULATORY COMMISSION. 10 CFR Part 73 [NRC ] RIN 3150-AJ37. Cyber Security Event Notifications

THE STATUS OF CYBER SECURITY IN NUCLEAR ENERGY

REGULATORY GUIDE 5.29 (Draft was issued as DG 5028, dated May 2012) SPECIAL NUCLEAR MATERIAL CONTROL AND ACCOUNTING SYSTEMS FOR NUCLEAR POWER PLANTS

A CYBER SECURITY RISK ASSESSMENT FOR THE DESIGN OF I&C SYSTEMS IN NUCLEAR POWER PLANTS

How To Improve Safety At A Nuclear Power Plant

Security for Independent Spent Fuel Storage Installations (ISFSI)

AN ANALYSIS OF TECHNICAL SECURITY CONTROL REQUIREMENTS FOR DIGITAL I&C SYSTEMS IN NUCLEAR POWER PLANTS

Cyber Security Presentation. Ontario Energy Board Smart Grid Advisory Committee. Doug Westlund CEO, N-Dimension Solutions Inc.

REGULATORY GUIDE OFFICE OF NUCLEAR REGULATORY RESEARCH. REGULATORY GUIDE (Draft was issued as DG-1226, dated August 2009)

NEI 06-13A [Revision 0] Template for an Industry Training Program Description

NUCLEAR REGULATORY COMMISSION

OVERVIEW OF THE OPERATING REACTORS BUSINESS LINE. July 7, 2016 Michael Johnson Deputy Executive Director for Reactor and Preparedness Programs

NORTH CAROLINA EASTERN MUNICIPAL POWER AGENCY SHEARON HARRIS NUCLEAR POWER PLANT, UNIT 1. Renewed License No. NPF-63

REGULATORY GUIDE (Draft was issued as DG-1267, dated August 2012)

Building Insecurity Lisa Kaiser

WordPerfect Document Compare Summary

Cyber Security and Other Realities of Our Digital World Andy Dickson IT Director Nuclear Fleet Operations

Backgrounder Office of Public Affairs Telephone: 301/

REGULATORY GUIDE (Draft was issued as DG-1207, dated August 2012)

NEI [Revision 2] Identifying Systems and Assets Subject to the Cyber Security Rule

NRC INSPECTION MANUAL INSPECTION PROCEDURE 88045

PUBLIC MEETING. details&code APPLICATIONS FOR NUCLEAR POWER PLANTS Regulatory Guide [Revision]

Proposal to Consolidate Post-Fukushima Rulemaking Activities

UNITED STATES NUCLEAR REGULATORY COMMISSION OFFICE OF NUCLEAR REACTOR REGULATION WASHINGTON, D.C February 1, 2006

U.S. Nuclear Regulation after Three Mile Island

Resilient and Secure Solutions for the Water/Wastewater Industry

NEI 06-13A [Revision 2] Template for an Industry Training Program Description

Audit Report. Management of Naval Reactors' Cyber Security Program

A DEVELOPMENT FRAMEWORK FOR SOFTWARE SECURITY IN NUCLEAR SAFETY SYSTEMS: INTEGRATING SECURE DEVELOPMENT AND SYSTEM SECURITY ACTIVITIES

Regulatory Guide Verification, Validation, Reviews, And Audits For Digital Computer Software Used in Safety Systems of Nuclear Power Plants

Audit of NRC s Network Security Operations Center

Interim Staff Guidance on Implementation of a Probabilistic Risk Assessment-Based Seismic Margin Analysis for New Reactors DC/COL-ISG-020

How To License A Nuclear Plant

An International Perspective on Security and Compliance

IAEA Safety Standards for Regulatory Activities

UNITED STATES NUCLEAR REGULATORY COMMISSION OFFICE OF NUCLEAR REACTOR REGULATION WASHINGTON, D.C June 1, 2005

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

U.S. NUCLEAR REGULATORY COMMISSION STANDARD REVIEW PLAN. Organization responsible for the review of instrumentation and controls

The Anatomy of an Effective Cyber Security Solution: Regulatory Guidelines and the Technology Required for Compliance

Joint ICTP-IAEA School of Nuclear Energy Management November Nuclear Security Fundamentals Module 9 topic 2

How To Write A Cyber Security Risk Analysis Model For Research Reactor

U.S. NUCLEAR REGULATORY COMMISSION STANDARD REVIEW PLAN

FUNDAMENTALS OF CYBER SECURITY FOR NUCLEAR PLANTS

United States Nuclear Regulatory Commission Office of Research Washington, DC

May 9, 2013 SUBJECT: FINAL SAFETY EVALUATION FOR TECHNICAL REPORT NEI 11-04, QUALITY ASSURANCE PROGRAM DESCRIPTION, REVISION 0

Emergency Preparedness at Nuclear Power Plants

December 5, 2013 VENDOR INSPECTION PROGRAM ANNUAL SELF-ASSESSMENT REPORT FOR FISCAL YEAR 2013

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

NIST Cybersecurity Framework What It Means for Energy Companies

Regulatory Guide Configuration Management Plans for Digital Computer Software Used in Safety Systems of Nuclear Power Plants

U.S. NUCLEAR REGULATORY COMMISSION STANDARD REVIEW PLAN. Organization responsible for the review of physical security

DRAFT REGULATORY GUIDE

Comparison of ISO 9000 and Recent Software Life Cycle Standards to Nuclear Regulatory Review Guidance. G. G. Preckshot J. A. Scott. Version 3.

March 5, 2015 NUCLEAR FUEL SERVICES, INC., LICENSEE PERFORMANCE REVIEW (NUCLEAR REGULATORY COMMISSION INSPECTION REPORT / )

Cyber Security :: Insights & Recommendations for Secure Operations. N-Dimension Solutions, Inc.

DRAFT REGULATORY BASIS TO CLARIFY 10 CFR PART 21, REPORTING OF DEFECTS AND NONCOMPLIANCE

Cyber Security Design Methodology for Nuclear Power Control & Protection Systems. By Majed Al Breiki Senior Instrumentation & Control Manager (ENEC)

THE WHITE HOUSE. Office of the Press Secretary. For Immediate Release February 12, February 12, 2013

Roadmaps to Securing Industrial Control Systems

NRC Enforcement Policy

AUDIT REPORT FOR LIFECYCLE PHASES ONE AND TWO DOCUMENTATION. VALIDATION RELATED TO PROTECTION AND SAFETY MONITORING SYSTEM and

Transcription:

A Regulatory Approach to Cyber Security Perry Pederson Security Specialist (Cyber) Office of Nuclear Security and Incident Response U.S. Nuclear Regulatory Commission 1

Agenda Overview Regulatory Framework Part 50 Safety and Part 73 Security Title 10 of the Code of Federal Regulations 73.54 Regulatory Guide 5.71 Regulatory Guide 1.152 Oversight Activities Research Activities Cyber Security Roadmap Paradigm Shift Questions

Regulatory Framework Regulations Oversight and Inspection Regulatory Guidance Licensing

Requirements - 10 CFR 73.1 (Design Basis Threat) - 10 CFR 73.54 (Cyber Security) Regulatory Objective PREVENT RADIOLOGICAL SABOTAGE Scope Systems that provide: - Safety, Important-to-Safety functions - Security functions - Emergency Preparedness functions - Support Systems whose failure would have an Adverse Impact* on one of the above functions Approach Programmatic Defense-in-Depth Risk-informed Guidance RG 5.71 & Appendices Nuclear Energy Institute (NEI) 08-09 (Generic Cyber Security Plan Template) Implementation Oper. Rx Cyber Security Plan (10 CFR 50.34) COLA Cyber Security Plan (10 CFR Part 52) NRC Licensing Safety Evaluation (Chapter 13) Issue License Condition Adverse Impact* =Compromise of support system impairs/defeats the functionality of a safety system, important-tosafety system, security system, or emergency response system Support Systems whose failure would not have an Adverse Impact* on a safety, important-tosafety, security, or emergency preparedness function fall under Federal Energy Regulatory Commission (FERC) regulations (i.e., North American Electric Reliability Corporation (NERC) cyber security standards) Memorandum of Agreement with FERC and Memorandum of Understanding with NERC NRC Oversight Inspection Procedures Inspections, Tests, Analyses, And Acceptance Criteria (ITAAC) [no programmatic ITAAC] Inspector Training Significance Determination Process Requirements - 10 CFR 50.34-10 CFR 50.55a - 10 CFR 50 Appendix A (General Design Criteria) - 10 CFR 50 Appendix B (Quality Assurance) - 10 CFR 52.4 Regulatory Objective SYSTEM FUNCTIONALITY & RELIABILITY Scope Systems that are: - Safety-Related - Important-to-Safety Approach System-level design features Diversity and Defense-in-Depth Deterministic Guidance RG 1.152 Rev 3 IEEE Std. 603, IEEE Std. 7-4.3.2 Design Acceptance Criteria (Part 52) Implementation Amendment Request (10 CFR 50.90) Design Criteria Application (10 CFR 52) NRC Licensing Safety Evaluation (Chapter 7) Issue License Condition

10 CFR 73.54 Title: Protection of digital computer and communication systems and networks Performance-Based, Programmatic (< 2 pages) Provide high assurance against cyber attack Integrated with Physical Security Program (10 CFR 73.55) Basic Requirements Critical digital assets must be protected Safety, important-to-safety, security, and emergency preparedness functions and support systems that can impact those functions Defense-in-depth protective strategy Records maintained for duration of license

Regulatory Guide 5.71 Title: Cyber security programs for nuclear facilities Form Cyber Security Team Identify Critical Digital Assets Apply Defensive Architecture Address Security Controls 1. Address each control for each critical digital asset, or 2. Apply alternative measures, or 3. Explain why a control is not applicable

Regulatory Guide 1.152 Title: Criteria for use of computers in safety systems of nuclear power plants A method for complying with the Commission s regulations high functional reliability, design quality, and a secure development and operational environments The combination of this regulatory guide and the programmatic provisions under 10 CFR 73.54 and RG 5.71 address the secure design, development, and operation of digital safety systems

Oversight Activities Inspection Program pilot process inspector training Significance Determination Process Threat information sharing Protected Web Server (PWS) United States Computer Emergency Response Team (US- CERT) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)

Research on Security of Digital Instrumentation and Control Security of Digital Platforms Network Security Security Assessments of Electromagnetic and Radio Frequency Vulnerabilities Quantification of Security Posture Reliability Impacts of Smart Grid

Cyber Security Roadmap Provides an update to the Commission on the status of the implementation of cyber security requirements for power reactor licensees and Combined License applicants. The paper outlines the approach for evaluating the need for cyber security requirements for the following four categories of the NRC licensees and facilities: Fuel cycle facilities Non-power reactors Independent Spent Fuel Storage Installations Byproduct materials licensees

Paradigm Shift

Physical Security

Cyber Security

Questions

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information