Presentation on theme: "The Nuclear Regulatory Commissions Forthcoming Cyber Security Rule: Application to Emergency Preparedness Systems at Nuclear Facilities Prepared by: Cliff."— Presentation transcript:
The Nuclear Regulatory Commissions Forthcoming Cyber Security Rule: Application to Emergency Preparedness Systems at Nuclear Facilities Prepared by: Cliff Glantz, Phil Craig, and Guy Landine Pacific Northwest National Laboratory Richland, WA
Presentation Overview Overview of cyber security Review the cyber threat landscape A brief history of cyber security requirements and guidance for the nuclear power Industry The new draft Nuclear Regulatory Commission (NRC) Cyber Security Rule -- 10 CFR 73.54 Current/future cyber security guidance The implication of new requirements for meteorology and emergency preparedness programs
Overview of Cyber Security for the Nuclear Power Industry The licensees will need to have a comprehensive program in place to protect digital and computing assets and processes This program will need to provide a high level of assurance that intentional or unintentional events (i.e., cyber attacks) do not adversely impact nuclear critical assets and processes. NRCs focus is on systems and networks associated with: Safety and Security Emergency preparedness, including meteorology and offsite communications Systems and networks which, if compromised, could adversely impact safety, security or emergency preparedness functions. Licensees also need to be concerned about other systems and networks (e.g., continuity of power)
What is a Cyber Attack? A cyber attack can include a wide variety of computer-based events that could impact: Confidentiality: violate the security of data or software. Unauthorized access (internal or external) by those without appropriate authorization and need to know. Integrity: modify, destroy, or compromise data or software. This can involve the insertion of erroneous or misleading data or the unauthorized take- over of a system Availability: deny access to systems, networks, services, or data.
Types of Threats Targeted/Untargeted Targeted threats are directed at a specific control system or facility Untargeted are focused on any computer with a given operating systems or commonly used software (e.g., Windows XP, Excel) Direct/Indirect Direct involves an exploit on the targeted system Indirect involves exploiting a support system (e.g., power, cooling) Malicious/Inadvertent Malicious -- intending to do harm Inadvertent -- an accidental outcome Insider/Outsider Insider can be someone employed at the facility or a vendor Outsider can have no direct connection to the target, but may still have considerable knowledge Outsiders can exploit insiders with or without their explicit cooperation
Examples of Potential Cyber Attacks Company-labeled USB memory sticks are left at a nearby shopping center, train station, or ball field. They contain malware that will be installed on a company computer if someone plugs in the lost stick to see who it belongs to… (Direct/Malacious/Targeted/Outsider+Insider) A freeware program is downloaded to a business computer for legitimate purpose. It contains malware. The program is copied to a laptop used to adjust settings on an environmental control system. (Indirect/Malacious/Untargeted/Outsider+Insider) A worker installs updated software on a non-critical, testing-platform control system and reboots the system. The operational control system is synchronized with the test system and it is shutdown by the reboot process. (Direct/Inadvertent/Targeted/Insider)
Lets Pause for a Second and Consider Global Warming and the Nuclear Renaissance Basic lesson for college freshmen: (1) CO 2 is a greenhouse gas. (2) The more CO 2 you have in the atmosphere, the higher the mean temperature… CO 2 has been going up since the beginning of the industrial age and an astounding 25% just in my lifetime Concern over global warming has been a boon for the nuclear power industry. What can kill this renaissance? Safety issues
History of Cyber Security Guidance NRC Order EA-02-026, Interim Safeguards and Security Compensatory Measures for Nuclear Power Plants in February 2002 NRC Order EA-03-086, Design Basis Threat for Radiological Sabotage, was released in April 2003 NUREG/CR-6847, Cyber Security Self-Assessment Method for U.S. Nuclear Power Plants NEI 04-04 Rev. 1, Cyber Security Program for Power Reactors (November 2005) Regulatory Guide (RG) 1.152 Rev. 2, Criteria for Use of Computers in Safety Systems of Nuclear Power Plants. Branch Technical Position (BTP) 7-14 Rev. 5, Guidance on Software Reviews for Digital Computer-Based Instrumentation and Control Systems.
On the Immediate Horizon… Awaiting release: 10 CFR 73.54, Protection of Digital Computer and Communication Systems and Networks. Draft Regulatory Guide DG-5022Cyber Security Programs for Nuclear Facilities
Key Concepts in the Draft Cyber Security Rule Key concepts of the new Cyber Security Rule: The licensee shall provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks. This ranges from simple attacks to those defined in the design basis threat (see Title 10 of the Code of Federal Regulations (10 CFR) Part 73, Section 73.1.)
Key Concepts in the Rule (cont)… Covers safety, security, and emergency preparedness systems (including other systems that can impact their performance) CIA Assets shall be protected from attacks that could adversely impact the CIA and operation of systems, networks, and associated equipment. This shall include employing state-of-the- art defense-in-depth protective strategies to detect, protect, respond to, and mitigate cyber attacks.
Key Concepts in the Rule (cont)… Implement appropriate security controls to protect assets. This includes management, operational and technical security controls Defensive Strategies Security Controls Management Operational Technical with families of security controls within each class Policies, Procedures, Practices, & Technologies
Key Concepts in the Rule (cont)… Two prong approach to defense-in-depth: Use multiple-layered security controls have appropriate detection, mitigation, response, and recovery capabilities in place if your security controls fail. In other words, if an attack penetrates your defenses, be prepared to prevent adverse impacts from the attack Ensure the functionality of critical systems is maintained! Systematically evaluate cyber security risks for all critical systems. Consider cyber security implications before making any system modifications.
Key Concepts in the Rule (cont)… Provide appropriate, position-specific cyber security training. Licensees shall submit a formal cyber security plan to the NRC Licensees shall implement a formal cyber security program that is part of their physical security program
Guidance: Current and Future Currently, cyber security guidance is provided to the industry by NEI 04-04. Gives a 30,000 ft level look at cyber security (i.e., it provides a framework but doesnt provide details on how to achieve objectives). The NRC is preparing Draft Regulatory Guide DG-5022Cyber Security Programs for Nuclear Facilities. DG-5022 fully addresses the new Rule and provides a lot more guidance (e.g., a 3,000 ft perspective) that should help technical folks understand what they need to do for their systems. I cant talk about details of the draft Reg Guide in this forum, but the draft guidance has been released for industry review. More Reg Guides and NUREGs will be coming…
Guidance for Meteorology and other Emergency Preparedness Systems Be aware of the cyber security threat environment Assess the cyber security of your systems and networks Assess the cyber security of your communication pathways Look for and eliminate cyber vulnerabilities Be pro-active in defending your systems Think about the cyber security risks associated with potential productivity enhancements Dont be afraid to ask for help from your plant or corporate cyber security specialists Discuss security needs with your management
Questions? Cliff Glantz Chair of DOE Subcommittee on Consequence Assessment and Protective Actions (SCAPA) Pacific Northwest National Laboratory PO Box 999 Richland, WA 99352 509-375-2166 firstname.lastname@example.org