A Cost-Efficient Approach to High Cyber Security Assurance in Nuclear Power Plants The RIPE Framework as an Alternative to Regulatory Guide 5.71 and NEI 08-09 Perry Pederson April 2014 The Langner Group Arlington Hamburg Munich
Contents Executive Summary... 3 Regulation of Cyber Security for Critical Infrastructure: The Past, the Present, and the Potential Future... 3 Cyber Security Regulatory Requirements for Nuclear Power Plants... 4 Requirements to be met by a Cyber Security Program... 4 Visualizing 10 CFR 73.54... 5 RIPE Versus NRC Regulatory Requirements... 6 Mapping RIPE to 10 CFR 73.54... 6 RIPE Framework Elements... 7 RIPE Versus Existing Regulatory Guidance... 8 Mapping RIPE to RG 5.71... 8 Hands-on Approach rather than Stating Performance Goals... 9 Guidance going beyond requirements and/or demonstrable value... 10 Missing in Action: Cost-Efficiency and Continuous Improvement... 11 Conclusion... 12 Appendix... 13 10 CFR 73.54 Protection of digital computer and communication systems and networks... 13 10 CFR 73.1 General Provisions (a.k.a. design basis threat)... 15 Regulatory Guide 5.71 versus RIPE... 18 NEI 08-09 versus RIPE... 19 About the author: Perry Pederson is a co-founder and managing principal of The Langner Group. He began protecting critical infrastructure against cyber attacks with the US Department of Defense and continued that effort as the Director of the Control Systems Security Program (CSSP) at the US Department of Homeland Security. At DHS, he managed the Aurora project where it was demonstrated that electrical generators can be destroyed by a cyber attack. Pederson then moved to the US Nuclear Regulatory Commission where he helped build the regulatory framework for cyber security at US nuclear power reactors and has consulted with the International Atomic Energy Agency on applying security controls to digital instrumentation and control systems globally. Before joining The Langner Group, Pederson held the position of Senior Cyber Threat Analyst for the Nuclear Regulatory Commission. High Cyber Security Assurance in NPPs - 2 - www.langner.com
Executive Summary This paper demonstrates that the RIPE Framework can be applied to meet the regulatory requirements as put forth in the Nuclear Regulatory Commission (NRC) cyber security rule published in 2009. The rule is publicly available and can be found at Title 10 of the Code of Federal Regulation Part 73.54 Protection of Digital Computer and Communication Systems and Networks (10 CFR 73.54); it is also included in full text in the appendix of this paper. Licensees of nuclear power plants (NPPs) are required to provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks, up to and including the design basis threat (DBT) as described in 10 CFR 73.1 (also in the appendix). As illustrated in this paper, the RIPE Framework not only meets the NRC s requirements for providing high assurance against cyber attacks, but does so at the least cost and can also produce empirical evidence to support that assertion. Regulation of Cyber Security for Critical Infrastructure: The Past, the Present, and the Potential Future For several critical infrastructure sectors (e.g., electrical, nuclear) high cyber security assurance is said to be achieved when the asset owner has complied with all regulatory requirements. When the nuclear industry speaks of requirements for cyber security at nuclear power plants (NPPs), 10 CFR 73.54 and 10 CFR73.1 (as well as other related NRC regulations such as the requirements for physical security) form the regulatory basis for what follows. Subsequent to the rule in 2009, the NRC published Regulatory Guide 5.71 (RG 5.71) in 2010 as one way to meet the regulation and it contains a template for a cyber security plan (which outlines a cyber security program). However, the NPP licensees are free to devise a cyber security program of their own design as long as it meets the requirement published in 10 CFR 73.54. This may seem like a tall order, to prove to the NRC that you have devised a cyber security program that meets all of the regulatory requirements. And, considering that the Nuclear Energy Institute (NEI) has published its own guidance document (NEI 08-09) that essentially mirrors the NRC s RG 5.71, industry has conceded that beating the NRC at their own game is either not possible, not wise, or too costly. However, this paper posits that not only is it possible to design a cyber security program for NPPs that meets or exceeds the NRC requirements, but the goal can be met with measurable results while minimizing costs. Just a decade ago the NPP industry had an opportunity for self-regulation by adopting an industry best practice based on NEI 04-04 and NUREG 6847 (neither of these documents are publicly available). Apparently, because the NRC subsequently published their own rule and guidance, the industry s self-regulation efforts were deemed to be insufficient. This presents an object lesson for other industries facing various forms of cyber regulation: If an industry led effort is not deemed adequate by the industry regulatory body, then additional regulation is likely to ensue. Many observers see the recent Cyber Security Framework (CSF) issued by the US government through the National Institute of Standards and Technology (NIST) as a result of Presidential Executive Order 13636. Many view this as the last chance for US critical infrastructure owners and operators to get cyber security right by adopting an approach to cyber security like the one laid out in the CSF voluntarily or face unprecedented political pressure for regulation. However, if any industry were to adopt an approach to cyber security that can show empirically (as opposed to the musings of opposing experts) that it meets all of the regulatory requirements AND does so at an overall lower cost for the asset owner, then it presents the classic win-win situation. In this manner, through a sustainable and measurable approach to cyber security, additional regulation may be forestalled or even rolled-back. High Cyber Security Assurance in NPPs - 3 - www.langner.com
Cyber Security Regulatory Requirements for Nuclear Power Plants For the purpose of this paper, a comparison will start at the regulatory level and then in a later section extend the comparison to NRC s regulatory guidance. Requirements to be met by a Cyber Security Program All NPP licensees are required by regulation to establish, implement, and maintain a cyber security program that provides high assurance of adequate protection against cyber attacks. When analyzing the language directly from the rule we discover there are three distinct groups or types of requirements: Performance Requirements, Programmatic Requirements, and Documentary Requirements that the cyber security program must meet. This perspective allows us to see clearly the distinction between what outcomes are expected versus the necessary programmatic and documentary elements required to demonstrate the achievement of those outcomes. Performance Requirements (PER) High-level requirement: Provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks, up to and including the design basis threat Specific requirements: PER-1 Protect digital computer and communication systems and networks associated with safety-related and important-to-safety functions, security functions, emergency preparedness (SSEP) functions, including offsite communications; and support systems and equipment which, if compromised, would adversely impact SSEP functions PER-2 Protect the systems and networks from cyber attacks that would adversely impact the integrity or confidentiality of data and/or software, deny access to systems, services, and/or data and adversely impact the operation of systems, networks, and associated equipment PER-3 Analyze digital computer and communication systems and networks and identify those assets that must be protected against cyber attacks PER-4 Ensure that appropriate facility personnel, including contractors are aware of cyber security requirements and receive the training necessary to perform their assigned duties and responsibilities PER-5 Evaluate and manage cyber risks PER-6 Ensure that modifications to assets are evaluated before implementation to ensure cyber security performance objectives are maintained Programmatic Requirements (PRO) High-level requirement: Establish, implement, and maintain a cyber security program Specific requirements: PRO-1 Implement security controls to protect the identified assets from cyber attacks PRO-2 Apply and maintain defense-in-depth protective strategies to ensure the capability to detect, respond to, and recover from cyber attacks PRO-3 Mitigate the adverse effects of cyber attacks PRO-4 Ensure that the functions of protected assets are not adversely impacted by cyber attacks High Cyber Security Assurance in NPPs - 4 - www.langner.com
PRO-5 Review the cyber security program as a component of the physical security program in accordance with the requirements of the physical security program Documentary Requirements (DOC) High-level requirement: Develop and maintain a cyber security plan (CSP) and supporting technical documentation Specific requirements: DOC-1 Develop and submit a CSP with implementation schedule for review and approval DOC-2 Establish and maintain a CSP that implements the cyber security program requirements DOC-3 The CSP must describe how requirements are met and account for site-specific conditions DOC-4 Develop and maintain written policies and procedures to implement the CSP DOC-5 The CSP must include measures for cyber incident response and recovery DOC-6 The CSP must include measures for timely detection and response to cyber attacks DOC-7 The CSP must include measures for the mitigation of the consequences of cyber attacks DOC-8 The CSP must include measures to correct exploited vulnerabilities DOC-9 The CSP must include measures for restoring affected systems, networks, and/or equipment resulting from a cyber attack DOC-10 Retain all records and supporting technical documentation as a record until the Commission terminates the license for which the records were developed, and maintain superseded portions of these records for at least three (3) years after the record is superseded, unless otherwise specified by the Commission Visualizing 10 CFR 73.54 One way to visualize the mapping of requirements outlined in 10 CFR 73.54 is depicted below. As is the case in the rule, every element clearly supports the ultimate goal of protecting NPPs and hence the public and the environment from the potentially devastating effects of a successful cyber attack on a NPP. Performance requirements PER-1 Protect SSEP functions PER-2 Protect systems and networks PER-3 Analyze and identify assets PER-4 Ensure personnel awareness and training PER-5 Evaluate and manage cyber risks PER-6 Ensure mods are evaluated before implementation Programmatic Requirements PRO-1 Implement security controls PRO-2 Apply and maintain defense-in-depth PRO-3 Mitigate adverse effects of cyber attacks PRO-4 Ensure that functions of protected assets are not adversely impacted by cyber attacks PRO-5 Review the cyber security program as a component of the physical security program Documentary Requirements DOC-1 Submit a CSP DOC-2 Establish and maintain a CSP DOC-3 CSP describes how requirements are met DOC-4 Policies and implementing procedures DOC-5 CSP with incident response/recovery DOC-6 CSP with detection/response DOC-7 CSP with mitigation of consequences DOC-8 CSP with correction of vulnerabilities DOC-9 CSP to restore affected systems DOC-10 Retain records and tech documentation High Cyber Security Assurance in NPPs - 5 - www.langner.com
RIPE Versus NRC Regulatory Requirements As part of the licensing process for NPPs, licensees must submit a CSP for review and approval by the NRC per 10 CFR 73.54. As previously noted, licensees can submit a plan of their own creation. However, they decided en masse to use the template provided in the NEI 08-09, although some of the new reactor license applicants opted to use the template in RG 5.71. While the cyber security requirements are outlined in 10 CFR 73.54, once the licensee submits a plan to the NRC under oath an affirmation and the NRC approves it, the CSP has essentially the same weight as the regulation. In other words, when the inspectors show up, they will be reading the CSP and comparing the commitments made in that document to ground truth at each site. The requirements in the rule are the same for each NPP, however, the CSP contains the site specific adaptations necessary to ensure compliance. Whatever the level of security determined by the asset owner or by regulation, RIPE can meet the requirement while also providing robustness, measurability, and continuous improvement at the least cost. Mapping RIPE to 10 CFR 73.54 The following chart provides a visual mapping of the RIPE Framework elements to the regulatory requirements of 10 CFR 73.54. Arguably, the performance requirements outlined in 10 CFR 73.54 are the critical piece of the cyber security puzzle. If the documentation is not quite up to snuff, but not even nation states can adversely impact your processes, that s what s important. Nonetheless, even in the realm of performance based regulation, the inspector will look at the various artifacts of the cyber security program to determine compliance. The quality of the information found on paper impacts the result of the inspection as well as having potentially adverse effects on systems themselves due to incompleteness or inaccuracy. Because of the way the RIPE Framework was designed, there is not a direct (i.e., exclusive/fixed) one-to-one mapping between it and 10 CFR 73.54 requirements, as shown in the graph above. RIPE was designed from the ground up to be a completely integrated whole. However, we can look at each of the RIPE program elements and see how they map to the various requirements found in 10 CFR 73.54. High Cyber Security Assurance in NPPs - 6 - www.langner.com
RIPE Framework Elements A brief synopsis of each RIPE element is presented below along with a list of 10 CFR 73.54 requirements as shown previously. Architecture Analysis o System Inventory for digital industrial control systems, process IT systems, software applications and middleware, and network gear. The quality of this information is paramount as it forms the basis for Network Architecture and Data Flow Diagrams as well as determining device legitimacy, proper configuration and access control. 10 CFR 73.54 Requirements: PER-3, 5, 6; PRO-4; DOC-10 o Network Architecture and Data Flow Diagrams allows for a full understanding of all data exchanged between components of a distributed system. This includes digital dependencies between system components, and thus also for professional system maintenance. 10 CFR 73.54 Requirements: PER-5, 6; PRO-2; DOC-10 o Plant Planning and Procurement Guidelines require the asset owner to define and maintain a standard set of cyber security and robustness criteria in their Requests For Proposals. Suppliers that meet these criteria are preferred. This approach is applied to new installs as well as configuration changes. 10 CFR 73.54 Requirements: PER-4, 6; DOC-3, 10 People and Procedures o Workforce Information Database contains information on individuals with legitimate access to digital plant floor systems and also determines which individuals to notify in case of policy, SOP, or configuration changes. In addition, it allows for determining training requirements for personnel given their responsibilities along with an assessment if the training requirements are met. 10 CFR 73.54 Requirements: PER-4; DOC-10 o Training Program enables every individual subject to the Cyber Security and Robustness Program to correctly perform the activities mandated by this program and is extended to contractors. 10 CFR 73.54 Requirements: PER-4; DOC-10 o Policy and Standard Operating Procedure Repository provides a central location that allows for easy access and management of all regulations that must be observed when interacting with specific industrial control systems in various roles (such as end user, maintenance engineer, contractor, etc.). 10 CFR 73.54 Requirements: DOC-4, 10 Intelligence and Improvement o Program Compliance Measurement measures how successfully the program is executed. Compliance metrics are used to identify program areas where execution does not match specification, allowing for corrective action. 10 CFR 73.54 Requirements: PER-2, 5; PRO-1, 2; DOC-3, 10 o Vulnerability and Fragility Analysis of systems, architectures, and procedures used or planned to be used, extending from component-level vulnerabilities to Plant Level Vulnerabilities. The vulnerability analysis uses input from System Inventory and from Network and Data Flow Diagrams. 10 CFR 73.54 Requirements: PER-1, 5, 6; PRO-1, 3, 4; DOC-10 o Performance Evaluation and Improvement evaluates the performance of the Cyber Security and Robustness Program in respect to target cyber security and robustness levels as determined by the asset owner. High Cyber Security Assurance in NPPs - 7 - www.langner.com
10 CFR 73.54 Requirements: PER-5, 6; PRO-2, 3, 4, 5; DOC-10 Reporting and Management Sign-Off o Results from the Intelligence and Improvement Program Practices are reported annually to management for review and sign-off. 10 CFR 73.54 Requirements: PRO-5; DOC-1, 10 Roles and Responsibilities o Central Cyber Security Entity is responsible for providing a technical basis and maintaining; System Inventory, User Inventory, delivering and adapting policies and procedures, developing, updating, and delivering the Training Program, performing audits, Compliance Measurements, Vulnerability Analysis, Performance Evaluation and Improvement supporting end users and maintenance engineers from other departments and from contractors in executing the provisions of the Cyber Security Program. 10 CFR 73.54 Requirements: All o Staff Members from other Departments includes; Plant Planning, Buying Department and Legal Department, Plant Maintenance, Plant Operations, Business Users, and the IT Department. 10 CFR 73.54 Requirements: PER-4 o Third Parties includes contractors, vendors, system integrators, and consultants who are responsible for executing any provisions set forth in the Cyber Security and Robustness Program activities. Third Parties are expected to comply with all policies and procedures in respect to remote access (if applicable), usage of BYOD, removable media, and system access. 10 CFR 73.54 Requirements: PER-5 o Management is responsible for signing off annual reports, security policies, procurement guidelines, and for allocating budget for executing the Cyber Security and Robustness Program. 10 CFR 73.54 Requirements: PER-4 The bottom line here is that the RIPE Framework addresses every requirement currently established by the NRC for NPP cyber security. Furthermore, RIPE provides additional benefits such as continuous improvement as an outcome, performance metrics, and information sharing so there is a means to benefit from lessons learned. RIPE Versus Existing Regulatory Guidance Once a cyber security program is reviewed and approved by the NRC, it represents the standard by which inspectors will evaluate compliance. The underlying premise is that if licensees diligently implement the cyber security program as approved by the NRC, they will have met the requirements of 10 CFR 73.54. Following the guidance in either of RG 5.71 or NEI 08-09 is by definition meeting the regulatory requirement of providing high assurance of adequate protection against a cyber attack. However, the RIPE Framework goes beyond compliance to regulatory requirements (i.e., the what of cyber security) and outlines a detailed process (i.e., the how of cyber security) that provides a sustainable, measureable and continuously improving cyber security capability at the least cost. Mapping RIPE to RG 5.71 The following chart provides a visual mapping of the RIPE Framework elements to the regulatory guidance as found in RG 5.71 or NEI 08-09. High Cyber Security Assurance in NPPs - 8 - www.langner.com
Hands-on Approach rather than Stating Performance Goals Outlined below are the areas where RIPE provides general performance goals as well as specific guidance on how to achieve those goals: RIPE provides guidance and templates on how to discover systemic or plant level vulnerabilities o Plant level vulnerabilities emerge based on the specific hardware/software, architecture, and protocols that exist in the plant and may include systems deemed by some to be non-critical o Licensees are expected to assess their digital assets and determine which are critical and which are non-critical, but without the right input and rigor, the analysis may not be complete or accurate RIPE provides guidance on how to first build a cyber security capability that can maintain a given level of security (as determined by the asset owner) o Existing regulatory frameworks assume that providing high-level performance objectives is sufficient, but experience on the plant floor suggests otherwise RIPE provides guidance and templates on how to implement a process of continuous improvement that will also minimize costs o Regulators are not necessarily concerned about continuous improvement, but in compliance o Likewise, regulators are not necessarily interested in reducing costs RIPE provides guidance and templates on how to procure more secure systems o Although there is an intrinsic motivation on the part of licensees to procure more secure digital assets, there is a dearth of guidance on exactly how to incorporate security requirements into procurement specifications RIPE, as a proprietary product/service, provides something that no regulatory body can legally provide; guidance on what to do and how to do it supported by a cadre of SMEs that an average utility could not manage to employ o The level of expertise brought to bear by The Langner Group is broad and deep and once RIPE is established, are only required for short periods on a periodic basis o Every year the RIPE process is tweaked as needed and the templates are updated based on aggregated lessons learned across the client base o Information on vulnerabilities as well as mitigation strategies and solutions are shared on a continual basis amongst all RIPE customers High Cyber Security Assurance in NPPs - 9 - www.langner.com
For a comparison of RIPE Framework domains and RG 5.71/NEI 08-09 the reader can refer to the appendix in this document. Guidance going beyond requirements and/or demonstrable value While the RG 5.71 and NEI 08-09 are certainly not without value, some of the guidance goes beyond the regulation as specified in 10 CRF 73.54 and provides dubious value to the cyber security posture of a NPP network. A few examples are highlighted below. Training RG 5.71 dedicates sections C.10.1 to C.10.4 directly to training of NPP staff and contractors, resulting in roughly 2.5 pages of text. In comparison, the only requirement regarding training in the regulation reads: Ensure that appropriate facility personnel, including contractors, are aware of cyber security requirements and receive the training necessary to perform their assigned duties and responsibilities. Compared to the regulatory requirement, training as outlined in RG 5.71 reads like overkill. For example, section 10.2 which specifically covers awareness training is specific on teaching hacking skills. However, this goes well beyond the awareness of cyber security requirements as stated in the regulation. Furthermore, it has never been proven that familiarity with hacking skills would make an organization more cyber-secure. In contrast, the RIPE Framework limits cyber security training to the kind of drills that personnel in a NPP are familiar with when it comes to safety and physical security. Beyond that, in-depth courses for system designers and control system engineers are provided to promote design and implementation strategies for robust and secure control and safety system installations. Section C.10.4 of RG 5.71 intends to train a workforce of cyber security specialists in the licensee s organization which goes beyond the regulatory requirements, is highly unrealistic, and even focuses on misleading techniques. For example, the cyber security specialist should be able to conduct penetration tests and harden Critical Digital Assets (CDAs). The reality is that sophisticated penetration testing cannot be done in live NPPs for safety reasons, and the hardening of CDAs is a process that must be left to the respective vendor (and, as a configuration changes, is subject to re-certification). In contrast, the RIPE Framework does not attempt to develop a group of cyber security super-experts at every NPP but provides the best expert advice both as a service in ongoing support and as a product in form of the various design guidelines, policies and procedures, templates, and assessment reports. Security Controls and Cyber Security Capability Both RG 5.71 and NEI 08-09 place an unsubstantiated faith in the mere presence of security controls, which is expressed in a checklist approach where the presence or absence of specific security controls for every CDA is judged as an indicator of cyber security posture. However, security controls are not magic properties that, if allegedly present, would provide security assurance in a guaranteed manner. In reality, any typical security control provides not much more than a grey zone which must be carefully examined in order to establish the factual value of such control. The reason for this grey zone has been extensively covered in our whitepaper The RIPE Framework and is known as cyber security capability. The term reflects the gap between a conceptual security control and its actual de-facto implementation, configuration, and behavior. For example, regimes for the application of security patches or antivirus updates regularly are not executed per policy in real-life plant environments. The same is true for behavioral controls such as policies where audits regularly show that security policies are either not known to their intended audience, not practicable (such as non-comprehensive, non-memorizable, or simply non-executable for practical reasons), or simply not followed for convenience. High Cyber Security Assurance in NPPs - 10 - www.langner.com
The establishment of security controls without the implementation of a governance process to achieve cyber security capability leaves cyber security to wishful thinking. For this reason, the RIPE Framework places the emphasis on implementing such a governance process that is absent in both guidance documents referenced. To make the picture complete, the RIPE Framework also favors design change over bolt-on security controls, if only to eliminate the need for installing ever more devices and software that can be misconfigured or fail, or mandating new procedures that require staff time which must be subtracted from other tasks. In order to achieve and sustain high assurance against cyber attacks at NPPs, the owners and operators of said plants should consider implementing a governing process such as RIPE that includes continuous monitoring and proactive action in plant planning, procurement, operations, and maintenance as shown in the chart above. For maximum effectiveness, the governing process should address all of the regulatory requirements as set forth in the NRC s cyber security rule 10 CFR 73.54. The process should cover more than just technical system attributes but also activities of personnel (employees and third-party staff members) that need to interact with such systems in a live production environment, and also staff members who plan, procure, and commission such systems in the first place. Missing in Action: Cost-Efficiency and Continuous Improvement In many organizations, the cyber security of ICS used to be viewed as a task that can be mastered on the side by notoriously overburdened control system engineers, with no specific budget. But as with any other activity, nothing really gets done without good planning, management commitment, and resources. Such must be at the very start of every cyber security program. Fortunately, the RIPE Framework gives the organization all the parameters it needs for resource planning and for monitoring of progress. At the core, the RIPE Framework represents a continuously improving process focused on the cyber security and robustness of digital industrial control systems regardless of the current state. The RIPE Framework provides a clear alternative to many of the security controls outlined in the RG 5.71 and supports that with a rigorous analysis. The chart at left provides an example of the cumulative cost reduction possible (allowing for an incremental increase initially) when the RIPE Framework is implemented to at first augment and then replace the existing cyber security program at NPPs. Pre-RIPE is estimated to require about 3-6 months of effort to ensure the technological capability is in place to build a RIPE program. This Pre-RIPE phase is then followed by RIPE Cycle Zero and includes a full iteration of the RIPE Framework process to include the generation of performance metrics. At the end of RIPE Cycle Zero, the primary inputs to improve the next iteration are the results of the first and thus begins a process of continuous improvement in the overall security posture and all unneeded vestiges of the previous program can be terminated. High Cyber Security Assurance in NPPs - 11 - www.langner.com
Conclusion There is little doubt that compliance to NRC regulatory requirements is what drives the actions of many licensees and has led to substantive improvements in the cyber security posture of the U.S. fleet of NPPs. Regardless, some licensees harbor a vision of cyber security that may in fact exceed the requirements established by the NRC, but have not as yet been able to fully articulate or implement that vision. The truth of the matter is that rather than the regulatory requirement becoming the least that should be done, too often it becomes the limit of what needs to be done. This leaves those who strive for continuous improvement in their cyber security posture wanting for management support and the accompanying budget. This is exactly the value proposition The Langner Group has established for the RIPE Framework. As can be seen in the chart to the left, over time the cost to administer the RIPE Framework will decrease while the cumulative improvements add greater value at a decreasing cost. This provides a measure of predictability in a world being whipsawed by a constant stream of threat reporting that changes almost hourly. The RIPE Framework provides the bridge from a myopic view of regulatory compliance to a sustainable, predictable, and continuously improving cyber security posture at the least possible cost. While many have complimented the NRC for what they have accomplish thus far, the ultimate responsibility for ensuring that NPPs are protected from cyber attacks rests with the licensees. They alone have the responsibility and duty to protect. It is time that the industry stood to say We can do this without the heavy hand of government regulation forcing a minimum set of activities that may or may not contribute to better cyber security. I must first know myself, as the Delphian inscription says; to be curious about that which is not my concern, while I am still in ignorance of my own self would be ridiculous. -Plato High Cyber Security Assurance in NPPs - 12 - www.langner.com
Appendix 10 CFR 73.54 Protection of digital computer and communication systems and networks 1 By November 23, 2009 each licensee currently licensed to operate a nuclear power plant under part 50 of this chapter shall submit, as specified in 50.4 and 50.90 of this chapter, a cyber security plan that satisfies the requirements of this section for Commission review and approval. Each submittal must include a proposed implementation schedule. Implementation of the licensee s cyber security program must be consistent with the approved schedule. Current applicants for an operating license or combined license who have submitted their applications to the Commission prior to the effective date of this rule must amend their applications to include a cyber security plan consistent with this section. (a) Each licensee subject to the requirements of this section shall provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks, up to and including the design basis threat as described in 73.1. (1) The licensee shall protect digital computer and communication systems and networks associated with: (i) Safety-related and important-to-safety functions; (ii) Security functions; (iii) Emergency preparedness functions, including offsite communications; and (iv) Support systems and equipment which, if compromised, would adversely impact safety, security, or emergency preparedness functions. (2) The licensee shall protect the systems and networks identified in paragraph (a)(1) of this section from cyber attacks that would: (i) Adversely impact the integrity or confidentiality of data and/or software; (ii) Deny access to systems, services, and/or data; and (iii) Adversely impact the operation of systems, networks, and associated equipment. (b) To accomplish this, the licensee shall: (1) Analyze digital computer and communication systems and networks and identify those assets that must be protected against cyber attacks to satisfy paragraph (a) of this section, (2) Establish, implement, and maintain a cyber security program for the protection of the assets identified in paragraph (b)(1) of this section; and (3) Incorporate the cyber security program as a component of the physical protection program. (c) The cyber security program must be designed to: (1) Implement security controls to protect the assets identified by paragraph (b)(1) of this section from cyber attacks; (2) Apply and maintain defense-in-depth protective strategies to ensure the capability to detect, respond to, and recover from cyber attacks; (3) Mitigate the adverse affects of cyber attacks; and (4) Ensure that the functions of protected assets identified by paragraph (b)(1) of this section are not adversely impacted due to cyber attacks. 1 Retrieved from www.nrc.gov on 2/8/2014 and reformatted for ease of reading. High Cyber Security Assurance in NPPs - 13 - www.langner.com
(d) As part of the cyber security program, the licensee shall: (1) Ensure that appropriate facility personnel, including contractors, are aware of cyber security requirements and receive the training necessary to perform their assigned duties and responsibilities. (2) Evaluate and manage cyber risks. (3) Ensure that modifications to assets, identified by paragraph (b)(1) of this section, are evaluated before implementation to ensure that the cyber security performance objectives identified in paragraph (a)(1) of this section are maintained. (e) The licensee shall establish, implement, and maintain a cyber security plan that implements the cyber security program requirements of this section. (1) The cyber security plan must describe how the requirements of this section will be implemented and must account for the site-specific conditions that affect implementation. (2) The cyber security plan must include measures for incident response and recovery for cyber attacks. The cyber security plan must describe how the licensee will: (i) Maintain the capability for timely detection and response to cyber attacks; (ii) Mitigate the consequences of cyber attacks; (iii) Correct exploited vulnerabilities; and (iv) Restore affected systems, networks, and/or equipment affected by cyber attacks. (f) The licensee shall develop and maintain written policies and implementing procedures to implement the cyber security plan. Policies, implementing procedures, site-specific analysis, and other supporting technical information used by the licensee need not be submitted for Commission review and approval as part of the cyber security plan but are subject to inspection by NRC staff on a periodic basis. (g) The licensee shall review the cyber security program as a component of the physical security program in accordance with the requirements of 73.55(m), including the periodicity requirements. (h) The licensee shall retain all records and supporting technical documentation required to satisfy the requirements of this section as a record until the Commission terminates the license for which the records were developed, and shall maintain superseded portions of these records for at least three (3) years after the record is superseded, unless otherwise specified by the Commission. [74 FR 13970, Mar. 27, 2009] High Cyber Security Assurance in NPPs - 14 - www.langner.com
10 CFR 73.1 General Provisions 2 (a.k.a. design basis threat) 73.1 Purpose and scope. (a) Purpose. This part prescribes requirements for the establishment and maintenance of a physical protection system which will have capabilities for the protection of special nuclear material at fixed sites and in transit and of plants in which special nuclear material is used. The following design basis threats, where referenced in ensuing sections of this part, shall be used to design safeguards systems to protect against acts of radiological sabotage and to prevent the theft or diversion of special nuclear material. Licensees subject to the provisions of 73.20 (except for fuel cycle licensees authorized under Part 70 of this chapter to receive, acquire, possess, transfer, use, or deliver for transportation formula quantities of strategic special nuclear material), 73.50, and 73.60 are exempt from 73.1(a)(1)(i)(E), 73.1(a)(1)(iii), 73.1(a)(1)(iv), 73.1(a)(2)(iii), and 73.1(a)(2)(iv). Licensees subject to the provisions of 72.212 are exempt from 73.1(a)(1)(iv). (1) Radiological sabotage. (i) A determined violent external assault, attack by stealth, or deceptive actions, including diversionary actions, by an adversary force capable of operating in each of the following modes: A single group attacking through one entry point, multiple groups attacking through multiple entry points, a combination of one or more groups and one or more individuals attacking through multiple entry points, or individuals attacking through separate entry points, with the following attributes, assistance and equipment: (A) Well-trained (including military training and skills) and dedicated individuals, willing to kill or be killed, with sufficient knowledge to identify specific equipment or locations necessary for a successful attack; (B) Active (e.g., facilitate entrance and exit, disable alarms and communications, participate in violent attack) or passive (e.g., provide information), or both, knowledgeable inside assistance; (C) Suitable weapons, including handheld automatic weapons, equipped with silencers and having effective long range accuracy; (D) Hand-carried equipment, including incapacitating agents and explosives for use as tools of entry or for otherwise destroying reactor, facility, transporter, or container integrity or features of the safeguards system; and (E) Land and water vehicles, which could be used for transporting personnel and their hand-carried equipment to the proximity of vital areas; and (ii) An internal threat; and (iii) A land vehicle bomb assault, which may be coordinated with an external assault; and (iv) A waterborne vehicle bomb assault, which may be coordinated with an external assault; and (v) A cyber attack. (2) Theft or diversion of formula quantities of strategic special nuclear material. (i) A determined violent external assault, attack by stealth, or deceptive actions, including diversionary actions, by an adversary force capable of operating in each of the following modes: a single group attacking through one entry point, multiple groups attacking through one or more 2 Retrieved from www.nrc.gov on 2/8/2014 and reformatted for ease of reading. High Cyber Security Assurance in NPPs - 15 - www.langner.com
(b) Scope. groups and one or individuals attacking through multiple entry points, or individuals attacking through separate entry points, with the following attributes, assistance and equipment: (A) Well-trained (including military training and skills) and dedicated individuals, willing to kill or be killed, with sufficient knowledge to identify specific equipment or locations necessary for a successful attack; (B) Active (e.g., facilitate entrance and exit, disable alarms and communications, participate in violent attack) or passive (e.g., provide information), or both, knowledgeable inside assistance; (C) Suitable weapons, including handheld automatic weapons, equipped with silencers and having effective long range accuracy; (D) Hand-carried equipment, including incapacitating agents and explosives for use as tools of entry or for otherwise destroying reactor, facility, transporter, or container integrity or features of the safe-guards system; (E) Land and water vehicles, which could be used for transporting personnel and their hand-carried equipment; and (ii) An internal threat; and (iii) A land vehicle bomb assault, which may be coordinated with an external assault; and (iv) A waterborne vehicle bomb assault, which may be coordinated with an external assault; and (v) A cyber attack. (1) This part prescribes requirements for: (i) The physical protection of production and utilization facilities licensed under parts 50 or 52 of this chapter, (ii) The physical protection of plants in which activities licensed pursuant to part 70 of this chapter are conducted, and (iii) The physical protection of special nuclear material by any person who, pursuant to the regulations in part 61 or 70 of this chapter, possesses or uses at any site or contiguous sites subject to the control by the licensee, formula quantities of strategic special nuclear material or special nuclear material of moderate strategic significance or special nuclear material of low strategic significance. (2) This part prescribes requirements for the physical protection of special nuclear material in transportation by any person who is licensed pursuant to the regulations in parts 70 and 110 of this chapter who imports, exports, transports, delivers to a carrier for transport in a single shipment, or takes delivery of a single shipment free on board (F.O.B.) where it is delivered to a carrier, formula quantities of strategic special nuclear material, special nuclear material of moderate strategic significance or special nuclear material of low strategic significance. (3) This part also applies to shipments by air of special nuclear material in quantities exceeding: (i) 20 grams or 20 curies, whichever is less, of plutonium or uranium-233, or High Cyber Security Assurance in NPPs - 16 - www.langner.com
(ii) 350 grams of uranium-235 (contained in uranium enriched to 20 percent or more in the U-235 isotope). (4) Special nuclear material subject to this part may also be protected pursuant to security procedures prescribed by the Commission or another Government agency for the protection of classified materials. The provisions and requirements of this part are in addition to, and not in substitution for, any such security procedures. Compliance with the requirements of this part does not relieve any licensee from any requirement or obligation to protect special nuclear material pursuant to security procedures prescribed by the Commission or other Government agency for the protection of classified materials. (5) This part also applies to the shipment of irradiated reactor fuel in quantities that in a single shipment both exceed 100 grams in net weight of irradiated fuel, exclusive of cladding or other structural or packaging material, and have a total radiation dose in excess of 100 rems per hour at a distance of 3 feet from any accessible surface without intervening shielding. (6) This part prescribes requirements for the physical protection of spent nuclear fuel and high-level radioactive waste stored in either an independent spent fuel storage installation (ISFSI) or a monitored retrievable storage (MRS) installation licensed under part 72 of this chapter, or stored at the geologic repository operations area licensed under part 60 or part 63 of this chapter. (7) This part prescribes requirements for the protection of Safeguards Information (including Safeguards Information with the designation or marking: Safeguards Information Modified Handling) in the hands of any person, whether or not a licensee of the Commission, who produces, receives, or acquires that information. (8) This part prescribes requirements for advance notice of export and import shipments of special nuclear material, including irradiated reactor fuel. (9) As provided in part 76 of this chapter, the regulations of this part establish procedures and criteria for physical security for the issuance of a certificate of compliance or the approval of a compliance plan. [44 FR 68186, Nov. 28, 1979, as amended at 45 FR 67645, Oct. 14, 1980; 45 FR 80271, Dec. 4, 1980; 46 FR 51724, Oct. 22, 1981; 47 FR 57482, Dec. 27, 1982; 52 FR 9653, Mar. 26, 1987; 53 FR 31683, Aug. 19, 1988; 53 FR 45451, Nov. 10, 1988; 59 FR 38899, Aug. 1, 1994; 59 FR 48960, Sept. 23, 1994; 63 FR 26962, May 15, 1998; 66 FR 55816, Nov. 2, 2001; 72 FR 12705, March 19, 2007; 72 FR 49561, Aug. 28, 2007; 73 FR 63573, Oct. 24, 2008] Retrieved from www.nrc.gov on 2/8/2014 High Cyber Security Assurance in NPPs - 17 - www.langner.com
Regulatory Guide 5.71 versus RIPE RIPE Functions Governance Metrics RIPE Domains System Population Characteristics RIPE RG 5.71 A continuous process that determines the accuracy and completeness of system documentation, and measures and enforces compliance to procedural directives periodically. Measures the following attributes for each of the RIPE Domains: Quality Completeness Compliance Detailed equipment and instrument list (cyber system inventory), manifested as a database, stores information on hardware systems, the software running on those systems, network association, and configuration details. Develop, review (1-year cycle) and update a formal, documented security planning, assessment and authorization policy that describes the purpose, scope, roles, responsibilities, management commitments, and coordination and implementation of a cyber security program. No programmatic level metrics, but recommends: Measuring the cyber incident response capability within the organization Measuring vulnerability impact Developer security metrics for defect tracking within the code Identify and document plant systems, equipment, communication systems, and networks that are associated with safety, important-to-safety, security, and emergency preparedness (SSEP) functions, as well as the support systems associated with SSEP functions. Network Architecture Component Interaction Workforce Roles and Responsibilities Workforce Skills and Competence Development Procedural Guidance Deliberate Design and Configuration Change A network architecture model, manifested as a set of diagrams with accompanying detail information for reference, identifies the connectivity options for specific endpoints and groups of endpoints. It identifies which network-connected systems can talk to which other network-connected systems. Process flow diagrams with accompanying detail information, identifies the interfaces of digital components. For interfaces that have dedicated communication counterparts, such association is identified. Interfaces extend to non-ip networks, fieldbus, RS-232, and proprietary. Workforce records of personnel. Identities, affiliation (staff or contractor), role-based physical and logical access and execution privileges, applicable policies and SOPs, and competence of all individuals that legitimately interact with industrial control and safety systems or process IT equipment. Training curriculum and records of operations and maintenance personnel is a requirement that documents staff members and contractors ability to perform their interactions with industrial control systems professionally and meet the provisions of policies and SOPs. Standard operating procedures used by operations and maintenance personnel for cyber, manifested as written documents, structure the activities that comprise legitimate and appropriate interaction with plant floor systems. Plant planning and change management procedures for cyber on the topology and architecture of process networks, configuration of essential infrastructure services, authorized remote access options and products, or proper configuration and usage of virtualization technology. The cyber security defensive model is deployed using a network architecture portrayed by a series of increasing defensive levels and incorporates a defense-in-depth strategy. Requires restricting and controlling data flows. Validation includes the physical and logical location of each CDA, direct and indirect connectivity pathways to and from the CDA, interdependencies of the CDA, and to evaluate the effectiveness of any existing security controls and the location of the CDA in the defensive architecture. Develop and implement a cyber security program that includes policies and procedures that describe the overall security goals, objectives, practices, and roles and responsibilities within the organization and, with high assurance, confirm that the cyber security program is properly established and maintained. Individuals are trained to a level of cyber security knowledge appropriate to their assigned responsibilities in order to provide high assurance that these individuals are able to perform their job functions properly. Develop and implement a cyber security program that includes policies and procedures that describe the overall security goals, objectives, practices, and roles and responsibilities within the organization and, with high assurance, confirm that the cyber security program is properly established and maintained. Document the configuration management policy as a part of the configuration management plan and include hardware configurations, software configurations, and access permissions. Changes to hardware or software are documented and accessed in accordance with existing policies and implementing procedures. High Cyber Security Assurance in NPPs - 18 - www.langner.com
System Acquisition System procurement guidelines specifying physical and functional system attributes and properties that industrial control and safety systems, industrial network gear, and process IT systems must have in order to meet an organization s quality criteria. A procurement policy that provides that the integrity of systems and services is maintained during the procurement process, development of procedures to facilitate and maintain the implementation of procurement policies associated with vendor security and development life cycles, and implementation of the security controls. NEI 08-09 versus RIPE RIPE Functions Governance Metrics RIPE NEI 08-09 A continuous process that determines the accuracy and completeness of system documentation, and measures and enforces compliance to procedural directives periodically. Measures the following attributes for each of the RIPE Domains: Quality Completeness Compliance Develop, review (2-year cycle) and update a formal, documented security planning, assessment and authorization policy that describes the purpose, scope, roles, responsibilities, management commitments, and coordination and implementation of a cyber security program. No programmatic level metrics, but recommends: Measuring vulnerability impact RIPE Domains System Population Characteristics Detailed equipment and instrument list (cyber system inventory), manifested as a database, stores information on hardware systems, the software running on those systems, network association, and configuration details. Identify and document plant systems, equipment, communication systems, and networks that are associated with safety, important-to-safety, security, and emergency preparedness (SSEP) functions, as well as the support systems associated with SSEP functions. Network Architecture Component Interaction Workforce Roles and Responsibilities Workforce Skills and Competence Development Procedural Guidance A network architecture model, manifested as a set of diagrams with accompanying detail information for reference, identifies the connectivity options for specific endpoints and groups of endpoints. It identifies which network-connected systems can talk to which other network-connected systems. Process flow diagrams with accompanying detail information, identifies the interfaces of digital components. For interfaces that have dedicated communication counterparts, such association is identified. Interfaces extend to non-ip networks, fieldbus, RS-232, and proprietary. Workforce records of personnel. Identities, affiliation (staff or contractor), role-based physical and logical access and execution privileges, applicable policies and SOPs, and competence of all individuals that legitimately interact with industrial control and safety systems or process IT equipment. Training curriculum and records of operations and maintenance personnel is a requirement that documents staff members and contractors ability to perform their interactions with industrial control systems professionally and meet the provisions of policies and SOPs. Standard operating procedures used by operations and maintenance personnel for cyber, manifested as written documents, structure the activities that comprise legitimate and appropriate interaction with plant floor systems. The cyber security defensive model is deployed using a network architecture portrayed by a series of increasing defensive levels and incorporates a defense-in-depth strategy. Requires restricting and controlling data flows. Validation includes the physical and logical location of each CDA, direct and indirect connectivity pathways to and from the CDA, interdependencies of the CDA, and to evaluate the effectiveness of any existing security controls and the location of the CDA in the defensive architecture. Develop and implement a cyber security program that includes policies and procedures that describe the overall security goals, objectives, practices, and roles and responsibilities within the organization and, with high assurance, confirm that the cyber security program is properly established and maintained. Individuals are trained to a level of cyber security knowledge appropriate to their assigned responsibilities in order to provide high assurance that these individuals are able to perform their job functions properly. Develop and implement a cyber security program that includes policies and procedures that describe the overall security goals, objectives, practices, and roles and responsibilities within the organization and, with high assurance, confirm that the cyber security program is properly established and maintained. High Cyber Security Assurance in NPPs - 19 - www.langner.com
Deliberate Design and Configuration Change System Acquisition Plant planning and change management procedures for cyber on the topology and architecture of process networks, configuration of essential infrastructure services, authorized remote access options and products, or proper configuration and usage of virtualization technology. System procurement guidelines specifying physical and functional system attributes and properties that industrial control and safety systems, industrial network gear, and process IT systems must have in order to meet an organization s quality criteria. Document the configuration management policy as a part of the configuration management plan and include hardware configurations, software configurations, and access permissions. Changes to hardware or software are documented and accessed in accordance with existing policies and implementing procedures. Recommends that contracts specify cyber security requirements for vendors and contractors and these are applied while on site or used during procurement. High Cyber Security Assurance in NPPs - 20 - www.langner.com