NRC Cyber Security Regulatory Overview

Slides:

Advertisements

Similar presentations

Checking & Corrective Action

Advertisements

Michael Thow Cyber Security Engineering Supervisor

INPO Update CMBG Meeting June 2013

Vermont Yankee Presentation to VSNAP 7/17/13 VY/Entergy Fukushima Response Update Bernard Buteau.

IAEA International Atomic Energy Agency. IAEA Outline Learning objectives Introduction Functions of Regulatory Body (RB) on EPR Appraisal guidance: Part.

An Insider’s Perspective on the NRC’s New Cyber Security Rule and Forthcoming Regulatory Guidance: Potential Impacts on Meteorology and Emergency Preparedness.

Cyber Security Plan Implementation Presentation to CMBG Glen Frix, Duke Energy June 20,

NRC Cyber Security Regulatory Program Development Background ANSI Nuclear Energy Standards Coordination Collaborative (NESCC) Meeting November 3, 2014November.

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Lindy Hughes Fleet Fire Protection Program Engineer Southern Nuclear Operating Company June 4, 2013 Fire Protection.

Security Controls – What Works

1 10 CFR Part 26 Subpart I Managing Fatigue Kamishan Martin Human Factors Engineering June 23, 2010 HPRCT conference.

Main Requirements on Different Stages of the Licensing Process for New Nuclear Facilities Module 4.7 Commissioning Geoff Vaughan University of Central.

Session 6: Data Integrity and Inspection of e-Clinical Computerized Systems May 15, 2011 | Beijing, China Kim Nitahara Principal Consultant and CEO META.

Federal Aviation Administration Oversight of Contract Maintenance Presented to: U.S./ Europe International Aviation Safety Conference By: Dan Bachelder,

Nuclear Power Plant “Bright-Line” NERC:. Tim Roxey and Jim Hughes NRC:

NEI Issues & Current Events George Oliver June 22, th Annual RETS – REMP Workshop South Bend, Indiana.

A Proposed Risk Management Regulatory Framework Commissioner George Apostolakis Presented at the Organization of Agreement States 2012 Annual Meeting Milwaukee,

Fatigue Management Rule Russell Smith Nuclear Energy Institute (NEI)

IRSN STRATEGY TO ASSESS A NEW MAINTENANCE POLICY / Nesebar, Bulgaria Presented by Naoëlle MATAHRI, IRSN.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

1 Secure Commonwealth Panel Health and Medical Subpanel Debbie Condrey - Chief Information Officer Virginia Department of Health December 16, 2013 Virginia.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

MODULE “PROJECT MANAGEMENT AND CONTROL” ORGANIZATION AND ADMINISTRATIVE CONTROL SAFE DECOMMISSIONING OF NUCLEAR POWER PLANTS Project BG/04/B/F/PP ,

RIC 2008 Power Reactor Security Requirements Rule Bonnie Schnetzler Team Leader, Security Rulemaking Team Division of Security Policy Office of Nuclear.

Hazards Identification and Risk Assessment

NRC Materials Program Cyber Security Organization of Agreement States Annual Meeting August 2015 Adelaide Giantelli Office of Nuclear Material Safety and.

IAEA International Atomic Energy Agency. IAEA Outline Learning Objectives Introduction IRRS review of regulations and guides Relevant safety standards.

Main Requirements on Different Stages of the Licensing Process for New Nuclear Facilities Module 4.5/1 Design Geoff Vaughan University of Central Lancashire,

Working with HIT Systems

IAEA International Atomic Energy Agency School of Drafting Regulations – November 2014 Government and Regulatory Body Functions and Responsibilities IAEA.

Configuration Management of Post-Fukushima Regulations CMBG June 2013 David Gambrell Director, Severe Accident Management Southern Nuclear.

IAEA International Atomic Energy Agency Methodology and Responsibilities for Periodic Safety Review for Research Reactors William Kennedy Research Reactor.

International Atomic Energy Agency School for Drafting Regulations on Radiation Safety RER/9/096 Vienna, 3 May, 2010 Adriana Nicic, Regulatory Activities.

Milestones for Nuclear Power Infrastructure Development Establishment of A Regulatory Framework Gustavo Caruso, Section Head, Regulatory Activities Section.

Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

By Annick Carnino (former Director of IAEA Division of Nuclear Installations Safety) PIME, February , 2012.

Response to NRC Information Requests for NTTF Recommendation 9.3 Sue Perkins-Grew Director, Emergency Preparedness NEI.

Pipeline Safety Management Systems

NRC’s 10 CFR Part 37 Program Review of Radioactive Source Security

“Status of the ReACTOR Decommissioning Program” October 7, 2016 LLW Forum Ted Smith, Project Manager Reactor Decommissioning Branch Division of Decommissioning,

Team 1 – Incident Response

Nuclear and Treaty Law Section Office of Legal Affairs

NRC Update of Low Level Waste Emerging Issues

NRC’s Category 3 Source Security and Accountability Initiatives

Introduction to the Federal Defense Acquisition Regulation

Office of Nuclear Materials Safety and Safeguards

NRC’s LLW Regulatory Program: Update of Emerging Issues

10 CFR Part 61 Low Level Waste Disposal Rulemaking Update

Update on Category 3 Source Security and Accountability Initiatives

LLW Forum Meeting October 16, 2017 Alexandria, Virginia

Mitigation of Beyond Design Basis Events (MBDBE) Rule Implementation

NRC’s LLW Regulatory Program: Update of Emerging Issues

Radioactive Material Security: Current Activities

Internal control - the IA perspective

Robert Kahler Branch Chief

LLW Forum Meeting October 17, 2017 Alexandria, Virginia

Moving Forward From Fukushima Near-Term Task Force EP Recommendations

Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.

Research and Test Reactor Safety: The Regulatory Perspective

Leadership and Management for Safety

Regulatory Oversight of HOF in Finland

Decommissioning Rulemaking

NRC Update Nader Mamish, Director Emergency Preparedness Directorate

TRTR Briefing September 2013

IT Management Services Infrastructure Services

Risk Management NDS Forum June 23rd 2010.

Management of Change GROUP HSE RULE (CR-GR-HSE-302)

Presentation transcript:

NRC Cyber Security Regulatory Overview LLW Forum Meeting October 16, 2017 Alexandria, Virginia James Beardsley, Cyber Security Branch Chief Division of Physical and Cyber Security Policy (DPCP) Office of Nuclear Security and Incident Response (NSIR)

Background Power Reactor Cyber Security History 2002-2003: NRC included the first cyber requirements in Physical Security and Design Basis Threat Orders 2005: NRC supported industry voluntary cyber program (NEI 04-04) 2009: 10 CFR 73.54, Cyber Security Rule 2012: Implementation/Oversight of Interim Cyber Security Milestones 2013-2015: Milestone 1-7 Inspections 2015: 10 CFR 73.77, Cyber Security Notification Rule 2017: Full Cyber Security Implementation 10/16/2017

NRC Regulatory Guide 5.71 Conceptual Approach Cyber Security Assessment Team Identify Critical Digital Assets Apply Defensive Architecture Address Security Controls Address each control for all CDAs, or Apply alternative measures, or Explain why a control is N/A

Power Reactors & COL Holders Milestone 1-7 Inspections Conducted 2013- 2015. Milestone 8 (Full Cyber Implementation) Complete no later than December 2017 Graded approach to CDA control application through NEI 13-10. The NRC and Licensees have learned a lot of lessons through the implementation process. Full Implementation Inspections 2017-2020

IMPLEMENTED BY DECEMBER 2012 Interim Milestones Establish Multi-disciplinary Cyber Assessment Team Identify Critical Digital Assets Establish Defensive Architecture- Isolation of the Most Critical Assets Control Portable Media and Devices Enhanced Insider Mitigation Controls Established for Most Significant Components Ongoing Monitoring and Assessment of controls IMPLEMENTED BY DECEMBER 2012

Full Implementation Details Expands scope to include all Critical Digital Assets (CDAs) All Safety & Security – Full Cyber Controls Graded Approach for Important-to-Safety, Emergency Preparedness (EP) & Balance-of-Plant (BoP) Some Important-to-Safety, the EP and BoP CDAs are evaluated as Non-Direct Non-Direct CDAs have a minimal set of controls applied Non-Direct CDA: CDAs that cannot have an adverse impact on Safety or Security functions prior to their compromise or failure being detected and compensatory measures being implemented by a licensee 6

Full Implementation - Cyber Programs Attack Mitigation and Incident Response Testing and Drills Continuity of Operations Training, Testing Secure Communication Pathways to CDAs Ensure only authorized, protected communication from known devices is permitted Supply Chain Adds security requirements relevant to vendors, contractors, and developers Ensure Availability and Integrity of Information To, From, and On CDAs Prevent CDAs from accessing, receiving, transmitting, or producing unverified or untrusted information Configuration Management Ongoing Evaluation and Management of Cyber Risk Audit and Accountability Validates effectiveness of the cyber security program and controls 7

Cyber Security Notification The Cyber Security Notification Rule, 10 CFR 73.77 became effective on December 2, 2015 Implementation date – May 2, 2016 Requires licensees to notify NRC of certain cyber incidents within timelines based on the severity of the incident NRC Regulatory Guide 5.83 provides NRC guidance NEI guidance document (NEI 15-09)

Future Plans In 2019 NSIR plans to conduct an overall assessment of the power reactor cyber security program to include: Effectiveness of the 10 CFR 73.54 rule Effectiveness of the guidance and licensee implementation of the rule Effectiveness of the full implementation inspection program External factors and lessons learned over the course of program implementation The assessment will result in a paper to the Commission. 10/16/2017 9

Other NRC Cyber Initiatives Fuel Cycle Facilities Cyber Security Rulemaking in progress Lessons learned from power reactor implementation Non-Power Reactors Best Practices Guidance Non-Production Utilization Facilities Under evaluation by the NRC staff Independent Spent Fuel Storage Installations No cyber requirement, may re-evaluate in the future Nuclear Materials Decommissioning Cyber Security is included in the decommissioning rulemaking 10

Questions 11

10 CFR 73.54 Requirements Identify Critical Digital Assets (CDAs). Apply & Maintain a Defense-in-Depth Protective Strategy. Address Security Controls for each CDA. Identify, Respond and Mitigate against cyber attacks. Training commensurate with roles and responsibilities to facility personnel. Review/Maintain the CSP as a component of the Physical Security Plan. Retain records and supporting technical documentation. 08/29/17 12