Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cyber Security Plan Implementation Presentation to CMBG Glen Frix, Duke Energy June 20, 2010 1.

Published byKenneth Eric Lawrence Modified over 9 years ago

Similar presentations

Presentation on theme: "Cyber Security Plan Implementation Presentation to CMBG Glen Frix, Duke Energy June 20, 2010 1."— Presentation transcript:

1 Cyber Security Plan Implementation Presentation to CMBG Glen Frix, Duke Energy June 20, 2010 1

2 Cyber Security Overview NRC NERC 2

3 Overview NRC 10 CFR 73.54 and NERC CIP 002 - 009 Both large projects with significant assessment and documentation required. In some cases, modifications may be required to bring digital components into compliance. Scope: ◦ NRC: Safety, Important to Safety, Security, EP ◦ NERC: Bulk Electric System (Balance of Plant) 3

4 NRC 4

5 NRC All 104 US licensed nuclear units submitted CS Plan to NRC for their approval November, 2009. All used NEI 08-09 as guidance. Nuclear Energy Institute & industry team responded to ~71 Requests for Additional Information questions from NRC staff. Updated NEI 08-09 as a result. Rev. 6 has been approved by NRC Staff by letter in early May. Licensees will need to re-submit LAR based on NEI 08-09 Rev. 6 in ~July/August 2010. 5

6 NRC Technical Challenges ◦ ~140 cyber security controls w/ multiple bullets ◦ Numerous “Critical Digital Assets (CDAs)” per site. ◦ Each control has to be “addressed:”  Implement the control  Implement an alternate control, with justification  Justify why control is not needed. ◦ Controls based on National Institute of Standards & Technology (NIST) SP 800-53 & 82.  Not written in “nuclear speak.”  Thus, training is required. 6

7 NRC Schedule ◦ 10 CFR 73.54 did not specify a schedule. ◦ Sites submitted “draft” implementation schedule with original submittal in November 2009.  ~ 60 % of industry submitted 36/48/60 months after approval by NRC Staff. ◦ NRC now wants new schedule with supplement  Milestones as “commitments”  Final END DATE as condition of the License 7

8 NRC Project Overview ◦ Cyber security assessment  Cyber Security Assessment Team (CSAT) – (similar to MR Expert Panel)  ~35 CDAs per site (average) x ~140 controls x ~5 bullets per control  Walkdown/validation  Cross site fleet QV&V & industry benchmarks ◦ Training  CSAT  Ongoing ◦ Procedures/Directives  NSD 803, NSD 804, NSD 807, EDM 801  Implementing procedures ◦ Records  Documentation of assessment  Documentation of controls  Assessment team records ◦ Etc. 8

9 NRC Ongoing Program ◦ Periodic assessment ◦ weekly/monthly/quarterly/yearly surveillances ◦ Independent oversight ◦ Linkage to physical security plan ◦ Will require permanent, dedicated resources  Estimated ~ 2+ per site, dedicated, cyber security specialists  System engineers & IAE resources impacted on a case by case basis.  OPS, EP, Security resources impacted ongoing by CSAT 9

10 NRC Configuration Management ◦ ONGOING MONITORING AND ASSESSMENT  …The ongoing monitoring program includes:  Configuration management of CDAs;  Numerous assessment & verification activities 10

11 NRC Configuration Management ◦ 4.4 ONGOING MONITORING AND ASSESSMENT  …The ongoing monitoring program includes:  Configuration management of CDAs;  Numerous assessment & verification activities 11

12 NRC Configuration Management ◦ 4.4.1 Configuration Management and Change Control  CDA cyber security and configuration management documentation is updated or created using the site configuration management program or other configuration management procedure or process.  This documentation includes the bases for not implementing one or more of the technical cyber security controls specified in Appendix D of NEI 08- 09, Revision 6. 12

13 NRC Configuration Management ◦ Appendix E, Section 10 Configuration Management  10.2 Configuration Management Policy and Procedures  10.3 Baseline Configuration – document configuration of various cyber security related settings.  10.4 Security Change Control – authorize & document changes.  10.5 Security Impact Analysis prior to making changes  10.6 Access restrictions – physical and electronic access  10.7 Configuration Settings  10.8 Least functionality – eliminate unnecessary ports, services, etc.  10.9 Component Inventory 13

14 NERC 14

15 NERC FERC Order 706-B clarified the exemption for “facilities” regulated by the NRC. “Facilities” to Nuclear meant “Oconee Nuclear Station.” Facilities to FERC meant the Reactor Protection System at Oconee Nuclear Station. FERC “hired” NERC to implement the cyber security rules, thus the NERC CIP cyber security standards. Great desire by industry to only have one regulator per system. ◦ “bright line” divides NERC scope from NRC scope ◦ NERC “survey” of systems due to NERC by 7-23-10. 15

16 NERC Presently per NERC CIP 002, many nuclear stations are not in scope. ◦ Not “critical assets” to the Bulk Electric System. ◦ Few nuclear stations are critical. ◦ Nor are the large Duke SE fossil stations. Revision 4 of NERC CIPs likely to be approved in December 2010. If the current draft is approved, many generation sites are likely to be in scope. Revision 4 of the standards are out for comment right now. Implementing NRC and NERC concurrently will be significantly difficult. 16

17 17 “My job is to tell you things you don’t want to hear, asking you to spend money you don’t have, to prepare for something you don’t believe will ever happen.” (Mike Selves, Director of Emergency Management and Homeland Security, Johnson County, Kansas)

18 COMMENTS/QUESTIONS? 18

Download ppt "Cyber Security Plan Implementation Presentation to CMBG Glen Frix, Duke Energy June 20, 2010 1."

Similar presentations

NERC Cyber Security Standards Pre-Ballot Review. Background Presidents Commission on Critical Infrastructure Protection PDD-63 SMD NOPR NERC Urgent Action.

NERC Cyber Security Standards Pre-Ballot Review. Background Presidents Commission on Critical Infrastructure Protection PDD-63 SMD NOPR NERC Urgent Action.
2004 NERC, NPCC & New England Compliance Programs John Norden Manager, Operations Training, Documentation & Compliance August 31, 2003 RC Meeting.

2004 NERC, NPCC & New England Compliance Programs John Norden Manager, Operations Training, Documentation & Compliance August 31, 2003 RC Meeting.
Course Material Overview of Process Safety Compliance with Standards

Course Material Overview of Process Safety Compliance with Standards
Michael Thow Cyber Security Engineering Supervisor

Michael Thow Cyber Security Engineering Supervisor
INPO Update CMBG Meeting June 2013

INPO Update CMBG Meeting June 2013
FDA’s Proposed Rule under FSMA for Preventive Controls

FDA’s Proposed Rule under FSMA for Preventive Controls
Recent NERC Standards Activities RSC – Jan. 5, 2011 NSRS Update Date Meeting Title (optional)

Recent NERC Standards Activities RSC – Jan. 5, 2011 NSRS Update Date Meeting Title (optional)
1 Component Design Basis Inspection (CDBI) Graydon Strong 6/17/14.

1 Component Design Basis Inspection (CDBI) Graydon Strong 6/17/14.
10 CFR Part 26, Subpart I Managing Fatigue 10 CFR Part 26, Subpart I Managing Fatigue Kamishan O. Martin, Human Factors Engineer Office of Nuclear Reactor.

10 CFR Part 26, Subpart I Managing Fatigue 10 CFR Part 26, Subpart I Managing Fatigue Kamishan O. Martin, Human Factors Engineer Office of Nuclear Reactor.
1 NRC Regulatory Initiatives National Radiological Emergency Preparedness Conference 2009 April 21, 2009 Bill Dean Deputy Director, Office of Nuclear Security.

1 NRC Regulatory Initiatives National Radiological Emergency Preparedness Conference 2009 April 21, 2009 Bill Dean Deputy Director, Office of Nuclear Security.
NRC Cyber Security Regulatory Program Development Background ANSI Nuclear Energy Standards Coordination Collaborative (NESCC) Meeting November 3, 2014November.

NRC Cyber Security Regulatory Program Development Background ANSI Nuclear Energy Standards Coordination Collaborative (NESCC) Meeting November 3, 2014November.
Project 2008-06 Cyber Security Order 706 January 10, 2012 Most of the material presented has been compiled from NERC webinars and drafting team meetings.

Project Cyber Security Order 706 January 10, 2012 Most of the material presented has been compiled from NERC webinars and drafting team meetings.
Cumulative Impacts James Slider November 7, 2013.

Cumulative Impacts James Slider November 7, 2013.
BS Information Systems – University of Redlands BS Information Systems – University of Redlands AS Electronic Technology AS Electronic Technology Project.

BS Information Systems – University of Redlands BS Information Systems – University of Redlands AS Electronic Technology AS Electronic Technology Project.
Licensing of Nuclear Power Plants in Pakistan

Licensing of Nuclear Power Plants in Pakistan
1 10 CFR Part 26 Subpart I Managing Fatigue Kamishan Martin Human Factors Engineering June 23, 2010 HPRCT conference.

1 10 CFR Part 26 Subpart I Managing Fatigue Kamishan Martin Human Factors Engineering June 23, 2010 HPRCT conference.
Physical Security CIP-014-1 NERC Standing Committees December 9-10, 2014.

Physical Security CIP NERC Standing Committees December 9-10, 2014.
1 NRC Plans for NESCC Concrete Specifications, Codes & Standards (SCS) Endorsement NESCC Meeting March 28, 2013 Richard Jervey USNRC Office of Regulatory.

1 NRC Plans for NESCC Concrete Specifications, Codes & Standards (SCS) Endorsement NESCC Meeting March 28, 2013 Richard Jervey USNRC Office of Regulatory.
NRC Decommissioning Activities for the San Onofre Nuclear Generating Station Bruce A. Watson, CHP Chief, Reactor Decommissioning Branch Division of Decommissioning,

NRC Decommissioning Activities for the San Onofre Nuclear Generating Station Bruce A. Watson, CHP Chief, Reactor Decommissioning Branch Division of Decommissioning,
Oconee RPS/ESPS Digital Upgrade Presented by: Michael Bailey June 3, 2013 1.

Oconee RPS/ESPS Digital Upgrade Presented by: Michael Bailey June 3,

Similar presentations

Ads by Google