Cyber Security Plan Overview Cynthia Broadwell, Progress Energy Nolan Heinrich, TVA William Gross, Nuclear Energy Institute
Introduction Cynthia Broadwell Progress Energy Progress Energy Fleet Cyber Security and SQA Program manger > 30- Years Nuclear Industry Experience Engineering, Technical Support, Nuclear Information Technology NEI Cyber Security Task Force Member (2010 Present) NITSL Executive Committee Cyber Security Sponsor (2006-2008) NITSL Cyber Security Committee Chairman (2008 2010) Member writing team: NEI 08-09 Rev. 0 Rev. 6 NEI 10-04 Rev. 0 NEI 10-09 Rev. 0 NITSL SQA Policy and Guidance Documents Four nuclear sites / 5 units/ BWR & PWR Fortune 500 Service Area in the Carolinas & Florida 21,800 owned Mw of capacity 11,000 employees/ 3.1 Million customers
Digital Systems History in Nuclear Plants 1990s computer systems in a nuclear power plant were less susceptible to the random worms and virus most of those systems were completely isolated from any external connectivity Before 9/11 nuclear power plants were transitioning to modern operating systems Site personnel wanted connectivity to desktop Vendors wanted remote access
Cyber Security Evolution EA-02-026 026 (B5b) (2002) Security Order to insure security connectivity for safety systems NEI 04-04, Cyber Security Program for Power Reactors (Accepted by NRC 12/2005) Cyber added to both RG 5.69 and 10 CFR 73.1 which described the types of cyberattacks and attackers (~2007) NEI 04-04 Cyber Security Program Implemented and migrated to maintenance phase (May 2008) 4
Cyber Security Codified 10CFR73.54,Cyber Security Regulation (Effective May 26, 2009) Cyber Security Plan Submittals to the NRC as a license amendment (LAR) (November 2009) ~100 generic RAIs resolved (May 2010) All plants submitted revision of Cyber Security Plan based on NEI 08-09 Rev. 6 (July 2010) 3 generic RAIs on the cyber security LAR; resubmittal (April 2011) Licensees expect the NRC will approve site/fleet license amendments by July 31, 2011
What is Cyber Security? Provides high assurance that digital computer and communication systems and networks associated with SSEP are adequately protected t from cyber attack up to and including DBT: 73.54(a)(1)(i) Safety and Important to Safety functions 73.54(a)(1)(ii) Security functions 73.54(a)(1)(iii) Emergency Preparedness functions including off-site communications 73.54(a)(1)(iv) Support Systems Cyber Security Plan, 73.54, is one of four Security Plans required by 10 CFR 73 Component of operating license 6
Why is Cyber Security important? Protects site Critical Systems and Critical Digital Assets from cyber attack Implements cyber security controls to mitigate internal and external threat vectors: Network/Internet (Direct connection) Wireless Access/Capability Portable Mass Media Supply Chain Direct Physical Access
What are our Commitments? 10 CFR 73.54, Protection of digital computer and communications i systems and networks The Rule The Cyber Security Plan, Appendix A Performance Requirements ( 73.54, 73.55, 73.56) Technical Security Controls designated to be implemented in Appendix A The Implementation Schedule Technical Security Controls designated to be implemented in the Implementation Schedule The two commitment dates: December 31, 2012 [mm/dd/yyyy] Full Compliance with the Rule
Implementation Schedule Template Establish Cyber Security Assessment Team * Identify Critical Systems and Critical Digital Assets * Install Unidirectional Network equipment * Implement portable media controls * Implement observation of obvious cyber related tampering * Perform assessment to identify, document, and implement cyber security controls * Commence ongoing monitoring and assessment of CDAs and Cyber Program * Full implementation of Cyber Security Plan (12/31/20##) * Actions to be completed by 12/31/2012 9
LEVEL 4 CDA FW/ IDS LEVEL 3 LEVEL 2 LEVEL 1 LEVEL 4 CDA Diode CDA Data Diode Diode LEVEL 4 FW FW CDA Diode LEVEL 3 Level 4 Isolated Network CDA CDA FW/ IDS Less Attack Vectors More Attack Vectors NEI 10-09 Digital Protection Boundaries
Owner Controlled Area Outside Plant Boundary Unmanned Room Protected Area Vital Area OCA Room E Other Area Room G Vital Room A Protected LOCKED CABINET LOCKED ROOM Room C More Attack Vectors Vital Room B Protected t Room D Manned Room Locked Cabinet/Door OCA Room F LOCKED AND ALARMED CABINET/DOOR Other Area Room H ACCESS CONTROLLED BUILDING WITH ALARMED ROOM/CABINET Les s Attack Ve ectors Less Attack More Attack Vectors Vectors NEI 10-09 Physical Protection Boundaries
Introduction Nolan Henrich General Manager, Computer Engineering Real Time Computer Systems SQA Program Management Cyber Security Program Management NITSL Executive Committee NITSL SQA Subcommittee NITSL Cyber Security Subcommittee TVA Three nuclear sites 6 nuclear units in service (3 BWR/3 PWR) Watts Bar 2 fuel load and startup in next 18 months
Key Take Aways Cyber Security is a way of doing business; it is not an event, it is a collection of processes It requires a significant change in the q g g way business is conducted
How does Cyber Security impact my organization? Engineering (Systems and Design) Information Technology Physical Security Operations Maintenance Emergency Preparedness Training i Work Management Procurement
Observations From WB2 CSAT team (6 permanent team members) CSAT supplemented by system engineer for the system under review Dedicated 3 days per week 3 Month effort Drew on information collected during NSIAC Cyber Security Initiative
Observations From WB2 (Continued) 50 Plant Systems 1400 digital devices 900 Critical Digital Devices (CDAs) 500 Digital Devices (DAs) Evaluated assets against approximately 1100 cyber controls
Next Steps Develop remediation plans and implementation schedules Integrate cyber security into existing plant processes, training, and procedures Develop implementing procedures (fleet- wide approach) PMs developed for ongoing cyber activities (approximately 75 controls must be performed on CDAs monthly)
Challenges Changing regulatory environment Integration of cyber security controls with plant processes and procedures Changing the Culture Project mentality (cyber security is an event) Resistance to change (trying to make my job harder) Resources
Introduction William Gross Project Manager, Security Cyber Security all activities NEI 08-09, NEI 10-04, NEI 10-09, NEI 10-09 FERC Order 706-B Chair, NEI Cyber Security Task Force Member, NEI Security Working Group NEI Policy organization for nuclear industry Members b include all entities licensed to operate commercial nuclear power plants in the United States, nuclear plant designers, major architect/ engineering g firms, fuel fabrication facilities, nuclear materials licensees, etc.
Who is the CSTF? The NEI Cyber Security Task Force: Reports to the Security Working Group SGI workshop NNSC workshop Recommends cyber initiatives to be approved by SWG then to be carried out by the CSSC CSTF member is sponsor and lead participant i of CSTF initiative INPO representative Industry Fleet and Individual Licensee Directors, Managers, Designees Interface to government and regulatory agencies Sponsors annual Workshop
Who is the CSSC? The NITSL Cyber Security Standing Committee: Sponsored by NEI and INPO Has been in place since ~2006 All licensee companies represented Forms working team for CSTF initiatives Sponsors weekly meetings and annual workshop Attended d by NRC, DHS, FBI, others
CSTF and CSSC Initiatives NEI 04-04, Voluntary Cyber Security Initiative NEI 08-09, Cyber Security Plan Template NEI 10-04, Critical Systems (SSEP, BOP, EP) NEI 10-09, Addressing Security Controls NEI 10-08, Cyber Security Rule Evaluation Program SFAQ 10-05 IT Functions for the Critical Group DG-5019 Reporting Cyber Events; Industry Response Team White paper: Crediting the Insider Mitigation Program Nuclear Responses to NERC Alerts/Advisories Brief NRC on initiatives Host DHS, FBI, others, to ensure awareness of cyber related issues
Questions
What are the key terms and definitions? i i Adversary Individual, group or organization that has adversely impacted or is attempting to adversely impact a CDA. (Cyber Security Plan) Critical System A system that is associated with safety-related functions; important-to-safety functions; security functions; emergency preparedness functions, including offsite communications; or support systems and equipment which, if compromised, would adversely impact safety, security, or emergency preparedness functions. (Cyber Security Plan)
What are the key terms and definitions? Critical Digital Asset A digital computer, communication system, or network that is 1) a component of a critical system (this includes assets that perform SSEP functions; provide support to, protect, or provide a pathway to Critical Systems); or 2) a support system asset whose failure or compromise as the result of a cyber attack would result in an adverse impact to a SSEP Function. (Cyber Security Plan) Critical Digital Asset The electronic systems, networks, or equipment that fall within the scope of 10 CFR 73.54 (i.e., within the Level 3 or 4 boundaries described in Regulatory Guide 5.71). Such systems, networks, and equipment have the ability to compromise the facility s safety, security, or emergency response (SSEP) functions. DG-5019 25
What are the key terms and definitions? Cyber Attack Any event in which there is reason to believe that an adversary has committed or caused, or attempted to commit or cause, or has made a credible threat to commit or cause malicious exploitation of a CDA. * Clarify definition and align with definition found acceptable by the NRC as documented in a USNRC letter from Richard P. Correia to Christopher E. Earls, Nuclear Energy Institute 08-09, Cyber Security Plan Template, Rev. 6, dated June 7, 2010. Cyber Attack (1 hour reportable) Any event in which there is reason to believe that a person has committed or caused, or attempted to cause, or has made a threat to commit or cause, an act to modify, destroy, or compromise any systems, networks, or equipment that falls within the scope of 73.54 of this part. As established by 10 CFR 73 Appendix G Paragraph I (h) 26
What are the key terms and definitions? Threat Any circumstance or event with the potential to adversely impact SSEP functions through a CDA via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. (derived from NIST 800-53) Threat Vector Pathways that can be exploited through malicious activity to penetrate security perimeters or network devices to adversely impact a CDA s SSEP functions (derived from Twenty Critical Controls for Effective Cyber Defense: Consensus Audit Version 2.3: November 13, 2009) 27
What are the key terms and definitions? Threat Vectors The means an adversary must have at his disposal to compromise a CDA. This list could be collapsed into two items, physical access and logical access. (NEI 10-09) 09) Direct Network Connectivity Wireless Access Capability Portable Media and Equipment Supply Chain Direct Physical Access 28
Break 3 3:30 p.m.