Presentation is loading. Please wait.

Presentation is loading. Please wait.

Nuclear Power Plant “Bright-Line” NERC:. Tim Roxey and Jim Hughes NRC:

Published byPhilippa Cannon Modified over 8 years ago

Similar presentations

Presentation on theme: "Nuclear Power Plant “Bright-Line” NERC:. Tim Roxey and Jim Hughes NRC:"— Presentation transcript:

1 Nuclear Power Plant “Bright-Line” NERC:. Tim Roxey and Jim Hughes NRC:
Nuclear Power Plant “Bright-Line” NERC: Tim Roxey and Jim Hughes NRC: Perry Pederson and Ralph Costello Charlotte, NC April 22, 2010 Phoenix, AZ April 26, 2010 Philadelphia, PA May 4, 2010 Chicago, IL May 6, 2010

2 Workshop Topics Bright-Line Requirement Cyber Security at NRC
Bright-Line Process NRC’s Position Relative to the MOU Bright-Line Survey NERC Point of Contacts Q & A – Please hold questions and comments to the end of the presentation Stress that the Bright-Line is a FERC Directive to complete.

3 “Bright-Line” Requirement
Establish the FERC and NRC jurisdictional delineation of Nuclear Power Plant (NPP) Systems Structures and Components (SSC) through the creation of an exemption process for excluding certain SSCs from the scope of applicable NERC Standards as provided in FERC Order No. 706-B Bright-Line Talk to how the NRC and NERC worked together to develop the “generic” list. To ensure its accuracy, meet 706B, and FERC Order to implement the process.

4 NRC/NERC Bright-Line Workshop
Cyber Security at NRC NRC/NERC Bright-Line Workshop Perry Pederson NSIR Security Specialist (Cyber)

5 Overview 10 CFR 73.54 Regulatory Guide 5.71
Fear, Uncertainty, and Doubt Federal Energy Regulatory Commission North American Electric Reliability Corporation Code of Federal Regulations

6 10 CFR 73.54 High-level, Performance-Based, Programmatic
FOCUS: Prevention of Radiological Sabotage Generic (i.e., not reactor-specific) Consistent with physical security regulatory approach Basic Requirements Systems that must be protected Defense-in-Depth protective strategy Application of security controls Implementation details maintained on site Submit Cyber Security Plans to NRC for approval Cyber Security Plans Site-specific processes and criteria

7 RG 5.71 Overview Components Performance-Based, Programmatic
Published Jan 2010 Components Main Body Appendix A (generic cyber security plan template) Appendix B (technical security controls) Appendix C (operational/management security controls) Performance-Based, Programmatic Consistent with NIST recommendations Flexible and minimally prescriptive with burden on licensees to establish effective programs Alignment with Digital I&C Interim Staff Guidance ISG-1 ISG-4 RG 1.152 Instrumentation and Control (I&C) Interim Staff Guidance (ISG)

8 RG 5.71 Guideline Form Cyber Security Team
Identify Critical Digital Assets Apply Defensive Architecture Address Security Controls Address each control for each CDA Or, apply alternative measures Or, explain why a control is N/A

9 Bright-Line Process NERC: Tim Roxey

10 Cyber Controls – NPP a Total View
Security Controls to address - 10 CFR 73.1 (Design Basis Threat) 10 CFR (Cyber Security) Performance Objective: PREVENT RADIOLOGICAL SABOTAGE NRC FERC/NERC Bulk Power Reliability Controls: Section 215 of the Federal Power Act 18 CFR Conservation of Power and Water Resources Regulatory Basis: Grid Reliability NERC Governance: Rules of Procedures section 400 “Compliance Enforcement Program” Title 10 Scope: Systems that support Safety functions Security functions Emergency Response functions Support Systems that could adversely impact one of the above functions NRC REGULATORY GUIDE 5.71 FPA Section 215 Scope: Balance-of-Plant “Support Systems” that do not adversely impact: Safety functions Security functions Emergency Response functions Fully compliant Title 10 and FPA Section 215 NOTE: It should be noted that there will be some SSCs that will not be impacted by either NRC or NERC requirements. Fully compliant Title 10 INTRODUCTION: The NRC has presented the left side of this model, NERC jurisdictional regulatory basis is founded in the right side of this model… Stress that these are two different focus areas with different project schedules that are separated by the Bright-Line, NO Dual regulation. NOTE: It should be noted that there will be some SSCs that will not be impacted by either NRC or NERC requirements. On the CIP state how the remaining SSCs that manage CEII or may impact reliable delivery of electricity to the BPS “MAY” be in scope. Bright-Line FERC Order 706/706B: Identify those SSCs that are exempted from NERC jurisdiction and thereby MAY not be subject to applicable CIP standards Individual licensee Cyber Security Plan submitted (10 CFR 73.54) Individual COL Applicant submitted ( 10 CFR Part 52) NERC CIP

11 Bright-Line History January 18, 2008: FERC issued Order No. 706 adopting CIP-002 – 009 standards CIP Standards exempt facilities regulated by the NRC March 19, 2009: FERC issued Order No. 706-B, certain balance of plant (BOP) SSCs are subject to compliance with NERC CIP Reliability Standards No “dual regulation” i.e., Bright-Line September 14, 2009: NERC’s NPP CIP Implementation Plan for each NPP, by requirement, filed to FERC R = FERC Effective Date, S = Scope of Systems Determination and, RO = Next Refueling Outage beyond 18 months (R+6) January 18, 2008: FERC issued Order No. 706 imposing CIP-002 through CIP-009 Reliability Standards on Bulk Power System (BPS) users, owners, and operators. Each of these CIP-002 through CIP-009 standards exempted facilities regulated by the NRC. March 19, 2009: FERC issued Order No. 706-B, noting that the NRC’s proposed regulations on cyber security would not apply to all systems, structures, and components (SSCs) within an NPP and therefore these remaining balance of plant (BOP) SSCs are subject to compliance with NERC CIP Reliability Standards. FERC noted there will be no “dual regulation.” Most are R+18 months and S+10. CIP-002 R1 & 2 are R+12. CIP have RO+6 months for outage considerations. It is important to mention that this implementation plan was thoroughly vetted by the NPP industry for comments.

12 Bright-Line History (Cont’d)
December 17, 2009: FERC Order directing NERC to present a process on how SSCs are exempted from NERC Reliability Standards by January 19, 2010 (Bright-Line) December 30, 2009: Historic MOU executed between the NRC and NERC identifying their roles and responsibilities January 19, 2010: NERC filing to FERC the details on the exemption process for NPP Coordinated with the NRC to determine those SSCs subject to NERC jurisdiction and those SSCs subject to NRC jurisdiction – Generic List March 18, 2010: FERC Order approving NERC’s Bright-Line & Implementation plan (R = March 18, 2010) December 17, 2009: FERC issued its Order Addressing Compliance Filing and Requiring Further Compliance Filing, in part, which directed NERC to present its exemption process (i.e., the “Bright-Line Determination” or the process for determining which SSCs are subject to NRC jurisdiction, and which are subject to compliance with NERC Reliability Standards) by January 19, 2010. December 30, 2009, MOU executed between the NRC and NERC to set forth and coordinate the roles and responsibilities of the NRC and NERC as they relate to their respective cyber security requirements January 19, 2010: NERC made a compliance filing to FERC explaining the exemption process it will undertake in coordination with the NRC to determine those SSCs subject to NERC jurisdiction and those SSCs subject to NRC jurisdiction. Talk to how the NRC and NERC worked together to develop the “generic” list. NERC/NRC recognizes that there are differences from NPP to NPP. To ensure its accuracy, meet 706B, and implement the process as stated in the compliance filing, the survey was deemed the most efficient means for accuracy “Certified Bright-Line”

13 Confidential Information
NERC’s Handling of Confidential Information The information provided by the NPPs to NERC will be handled in accordance with the NERC Rules of Procedure (RoP) section 1500 “Confidential Information” if that information is so designated by the NPP NERC and regional staff that review information that is SGI will be Safeguard Authorized per 10 CFR §73.21 & §73.22 NERC will establish “Reviewing Officials” for SGI per the MOU  Confidential business and market information  Critical energy infrastructure information  Personnel information that identifies or could be used to identify a specific individual, or reveals personnel, financial, medical, or other personal information  Work papers, including any records produced for or created in the course of an evaluation or audit  Investigative files, including any records produced for or created in the course of an investigation  Cybersecurity incident information; provided, that public information developed or acquired by an entity shall be excluded from this definition Tim Roxey & Jim Hughes are NERC’s “Reviewing Officials” for SGI…This is per the NERC/NRC MOU Appendix.

14 Collection of Information
NERC Authority to Collect Bright-Line Information ▪ Section 215 of the Federal Power Act (16 U.S.C. §824o): Established NERC as the ERO to enforce NERC Standards ▪ Title 18 C.F.R §39.2(d) (FERC’s Regulations): User, owner or operator of the bulk power system shall provide such information as is necessary to implement section 215 of the Federal Power Act to FERC/ERO/Region ▪ NERC Rule of Procedure 400, Section 10.1: Information Submittal - Each Regional Entity has the authority to collect the necessary information to determine compliance NERC’s Authority to Collect Bright-Line Information from NPPs Section 215 of the Federal Power Act (16 U.S.C. §824o): Under Section 215, Congress entrusted FERC with the duties of approving and enforcing rules to ensure the reliability of the Nation’s bulk power system, and with the duties of certifying an Electric Reliability Organization (“ERO”) that would be charged with developing and enforcing mandatory Reliability Standards, subject to FERC approval. NERC was certified as the ERO on July 20, 2006. Title 18 C.F.R §39.2(d) (FERC’s Regulations): (d) Each user, owner or operator of the Bulk-Power System within the United States (other than Alaska and Hawaii) shall provide the [Federal Energy Regulatory] Commission, the Electric Reliability Organization and the applicable Regional Entity such information as is necessary to implement section 215 of the Federal Power Act as determined by the [Federal Energy Regulatory] Commission and set out in the Rules of the Electric Reliability Organization and each applicable Regional Entity. The Electric Reliability Organization and each Regional Entity shall provide the [Federal Energy Regulatory] Commission such information as is necessary to implement section 215 of the Federal Power Act. NERC Rule of Procedure 403, Section 10.1: Information Submittal - Each Regional Entity has the authority to collect the necessary information to determine compliance and shall develop processes for gathering data from the bulk power system owners, operators, and users they monitor.

15 North American Energy Reliability Corporation and Nuclear Regulatory Commission Memorandum of Understanding Ralph Costello Team Leader Office of Nuclear Security and Incident Response Nuclear Regulatory Commission

16 NERC CIPs for digital systems subject to both FERC and NRC regulations
NRC - NERC MOU Cooperation –NERC’s disposition of exceptions Brightline process e.g. Safety and Important to safety systems, Security systems, and Emergency Preparedness systems e.g. Systems, structures, and components subject to FERC requirements FERC Order 706B permits licensees to seek “exceptions” to compliance with NERC CIPs for digital systems subject to both FERC and NRC regulations

17 NRC - NERC MOU Cont. Share information relative to digital assets governed by the other party’s cyber security requirements Coordinate to maximum extent on the process for conducting inspections

18 NRC - NERC MOU Cont. Sharing of all information necessary to carry out the intent of the MOU Coordinate on all public announcements of enforcement actions relative to cyber security requirements and coordinate the resolution of issues involving enforcement actions

19 Memorandum of Understanding
NRC - NERC MOU Cont. Memorandum of Understanding

20 Nuclear Power Plant “Bright-Line" Survey
Jim Hughes

21 Terminal Objective: Enabling Objectives: Workshop Objectives
Identify the requirements to complete the NERC Bright-Line Survey Enabling Objectives: Identify where to find the Bright-Line documentation Identify the critical attributes of the Bright-Line Survey

22 Bright-Line Documentation
Provided on the NERC Web site: FERC Orders NERC/NRC MOU Presentation Materials Bright-Line Survey Speak to the web site. It is possible to hit the link to go to the web site and briefly discuss what is found there.

23 Bright-Line Survey Overview
Introduction & Scope Due Date and Contact Data Survey Items 1 and 2 Company Information and Approval Generic SSC lists Attachment I (SSCs under NERC Jurisdiction) Attachment II (SSCs Excluded from Attachment I) Take the time to ensure that everyone has the survey in front of them, then speak to the survey.

24 Survey Item 1 Bright-Line Survey
Does Attachment I include all SSCs in your power plant that could impact reliable delivery of electricity to the Bulk Power System or manage critical energy infrastructure information? Exclude those SSCs in Attachment II IF the question is asked regarding criteria, RoP 1500 provides the definition of CEII.

25 Survey Item 2 Bright-Line Survey
If the answer to Survey Item 1 is “No” please revise the list to add to or remove SSCs from Attachment I All changes to Attachment I must be accompanied with the basis for those changes CEII IAW RoP …Critical energy infrastructure information means specific engineering, vulnerability, or detailed design information about proposed or existing critical infrastructure that (i) relates details about the production, generation, transportation, transmission, or distribution of energy; (ii) could be useful to a person in planning an attack on critical infrastructure; and (iii) does not simply give the location of the critical infrastructure.

26 Special Registration for NPPs
Next Steps Special Registration for NPPs Surveys will be ed to each CC/NPP on or before June 25, 2010 Surveys shall be completed by NPPs and returned to NERC on or before July 23, 2010 NERC to review and approve, with NRC coordination, the completed Bright-Line surveys on or before October 15, 2010 “S” Date Special Registration – NUC “Nuclear Plant GOP”

27 Recommended that System Engineering complete Survey Items 1&2
Important Takeaways Do not provide information such as IP Addresses, and asset/network vulnerabilities Recommended that System Engineering complete Survey Items 1&2 Need accurate subject matter expert point of contact data The Bright-Line Attachment 1 is complete after NERC review (October 15, 2010) Stress the need to have accurate POC information and ensure the surveys get to the NPP(s) if there is only a corp. Compliance Contact.

28 NERC Contact Data E-mail completed survey to Jim.Hughes@nerc.net
Phone: Secondary contact: Phone: Alternate contact: Phone: If mailing completed survey: North American Electric Reliability Corporation c/o Jim Hughes Village Boulevard Princeton, New Jersey

29 Questions?

Download ppt "Nuclear Power Plant “Bright-Line” NERC:. Tim Roxey and Jim Hughes NRC:"

Similar presentations

NERC Reliability Readiness The Next Steps Mitch Needham NERC Readiness Evaluator September 24, 2007.

NERC Reliability Readiness The Next Steps Mitch Needham NERC Readiness Evaluator September 24, 2007.
NERC Critical Infrastructure Protection Advisory Group (CIP AG) Electric Industry Initiatives Reducing Vulnerability To Terrorism.

NERC Critical Infrastructure Protection Advisory Group (CIP AG) Electric Industry Initiatives Reducing Vulnerability To Terrorism.
PER-005-2.

PER
FRCC Fall Compliance Workshop October , 2013

FRCC Fall Compliance Workshop October , 2013
Allan Wick, CFE, CPP, PSP, PCI, CBCP Chief Security Officer WECC Joint Meeting October 8, 2014.

Allan Wick, CFE, CPP, PSP, PCI, CBCP Chief Security Officer WECC Joint Meeting October 8, 2014.
Recent NERC Standards Activities RSC – Jan. 5, 2011 NSRS Update Date Meeting Title (optional)

Recent NERC Standards Activities RSC – Jan. 5, 2011 NSRS Update Date Meeting Title (optional)
Why TADS Is Needed No systematic transmission outage data collection effort exists for all of North America Energy Information Administration data (Schedule.

Why TADS Is Needed No systematic transmission outage data collection effort exists for all of North America Energy Information Administration data (Schedule.
Gcpud1 CRITICAL INFRASTRUCTURE PROTECTION NERC 1200 CIP 002 - 009 CRITICAL INFRASTRUCTURE PROTECTION NERC 1200 CIP 002 - 009.

Gcpud1 CRITICAL INFRASTRUCTURE PROTECTION NERC 1200 CIP CRITICAL INFRASTRUCTURE PROTECTION NERC 1200 CIP
Cyber Security Plan Implementation Presentation to CMBG Glen Frix, Duke Energy June 20, 2010 1.

Cyber Security Plan Implementation Presentation to CMBG Glen Frix, Duke Energy June 20,
NRC Cyber Security Regulatory Program Development Background ANSI Nuclear Energy Standards Coordination Collaborative (NESCC) Meeting November 3, 2014November.

NRC Cyber Security Regulatory Program Development Background ANSI Nuclear Energy Standards Coordination Collaborative (NESCC) Meeting November 3, 2014November.
Recently Issued OHRP Documents: Guidance on Subject Withdrawal and Draft Revised FWA Secretary’s Advisory Committee on Human Research Protections October.

Recently Issued OHRP Documents: Guidance on Subject Withdrawal and Draft Revised FWA Secretary’s Advisory Committee on Human Research Protections October.
1. 11/26/2012: NERC Board of Trustees adopted CIP v5 CIP-002-5 thru CIP-009-5 CIP-010-1 and CIP-011-1 Version 5 Filing FERC requested filing by 3/31/2013.

1. 11/26/2012: NERC Board of Trustees adopted CIP v5 CIP thru CIP CIP and CIP Version 5 Filing FERC requested filing by 3/31/2013.
Licensing of Nuclear Power Plants in Pakistan

Licensing of Nuclear Power Plants in Pakistan
CIP Version 5 Update OC Meeting November 7, 2013.

CIP Version 5 Update OC Meeting November 7, 2013.
1 Mandatory Reliability Standards (MRS) Assessment Report No. 8 Workshop December 16, 2014 Teleconference Bridge Details: 604-899-2339 (Vancouver) 1-877-385-4099.

1 Mandatory Reliability Standards (MRS) Assessment Report No. 8 Workshop December 16, 2014 Teleconference Bridge Details: (Vancouver)
Jeffery J. Gust IOWA INDUSTRIAL ENERGY GROUP FALL CONFERENCE Tuesday, October 14, 2014 MidAmerican Energy Company.

Jeffery J. Gust IOWA INDUSTRIAL ENERGY GROUP FALL CONFERENCE Tuesday, October 14, 2014 MidAmerican Energy Company.
Physical Security CIP-014-1 NERC Standing Committees December 9-10, 2014.

Physical Security CIP NERC Standing Committees December 9-10, 2014.
Update: Physical Guideline UPDATE: Physical Security Guideline UPDATED Physical Response Security Guideline Public Release.

Update: Physical Guideline UPDATE: Physical Security Guideline UPDATED Physical Response Security Guideline Public Release.
City of Leesburg Electric Department Internal Compliance Program (ICP)

City of Leesburg Electric Department Internal Compliance Program (ICP)
Commissioning of Fire Protection and Life Safety Systems Presented by: Charles Kilfoil Bechtel National Waste Treatment Plant Richland WA.

Commissioning of Fire Protection and Life Safety Systems Presented by: Charles Kilfoil Bechtel National Waste Treatment Plant Richland WA.

Similar presentations

Ads by Google