Presentation is loading. Please wait.

Presentation is loading. Please wait.

NRC Cyber Security Regulatory Overview

Published byEustace Nelson Modified over 5 years ago

Similar presentations

Presentation on theme: "NRC Cyber Security Regulatory Overview"— Presentation transcript:

1 NRC Cyber Security Regulatory Overview
LLW Forum Meeting October 16, 2017 Alexandria, Virginia James Beardsley, Cyber Security Branch Chief Division of Physical and Cyber Security Policy (DPCP) Office of Nuclear Security and Incident Response (NSIR)

2 Background Power Reactor Cyber Security History
: NRC included the first cyber requirements in Physical Security and Design Basis Threat Orders 2005: NRC supported industry voluntary cyber program (NEI 04-04) 2009: 10 CFR 73.54, Cyber Security Rule 2012: Implementation/Oversight of Interim Cyber Security Milestones : Milestone 1-7 Inspections 2015: 10 CFR 73.77, Cyber Security Notification Rule 2017: Full Cyber Security Implementation 10/16/2017

3 NRC Regulatory Guide 5.71 Conceptual Approach
Cyber Security Assessment Team Identify Critical Digital Assets Apply Defensive Architecture Address Security Controls Address each control for all CDAs, or Apply alternative measures, or Explain why a control is N/A

4 Power Reactors & COL Holders
Milestone 1-7 Inspections Conducted Milestone 8 (Full Cyber Implementation) Complete no later than December 2017 Graded approach to CDA control application through NEI The NRC and Licensees have learned a lot of lessons through the implementation process. Full Implementation Inspections

5 IMPLEMENTED BY DECEMBER 2012
Interim Milestones Establish Multi-disciplinary Cyber Assessment Team Identify Critical Digital Assets Establish Defensive Architecture- Isolation of the Most Critical Assets Control Portable Media and Devices Enhanced Insider Mitigation Controls Established for Most Significant Components Ongoing Monitoring and Assessment of controls IMPLEMENTED BY DECEMBER 2012

6 Full Implementation Details
Expands scope to include all Critical Digital Assets (CDAs) All Safety & Security – Full Cyber Controls Graded Approach for Important-to-Safety, Emergency Preparedness (EP) & Balance-of-Plant (BoP) Some Important-to-Safety, the EP and BoP CDAs are evaluated as Non-Direct Non-Direct CDAs have a minimal set of controls applied Non-Direct CDA: CDAs that cannot have an adverse impact on Safety or Security functions prior to their compromise or failure being detected and compensatory measures being implemented by a licensee 6

7 Full Implementation - Cyber Programs
Attack Mitigation and Incident Response Testing and Drills Continuity of Operations Training, Testing Secure Communication Pathways to CDAs Ensure only authorized, protected communication from known devices is permitted Supply Chain Adds security requirements relevant to vendors, contractors, and developers Ensure Availability and Integrity of Information To, From, and On CDAs Prevent CDAs from accessing, receiving, transmitting, or producing unverified or untrusted information Configuration Management Ongoing Evaluation and Management of Cyber Risk Audit and Accountability Validates effectiveness of the cyber security program and controls 7

8 Cyber Security Notification
The Cyber Security Notification Rule, 10 CFR became effective on December 2, 2015 Implementation date – May 2, 2016 Requires licensees to notify NRC of certain cyber incidents within timelines based on the severity of the incident NRC Regulatory Guide 5.83 provides NRC guidance NEI guidance document (NEI 15-09)

9 Future Plans In 2019 NSIR plans to conduct an overall assessment of the power reactor cyber security program to include: Effectiveness of the 10 CFR rule Effectiveness of the guidance and licensee implementation of the rule Effectiveness of the full implementation inspection program External factors and lessons learned over the course of program implementation The assessment will result in a paper to the Commission. 10/16/2017 9

10 Other NRC Cyber Initiatives
Fuel Cycle Facilities Cyber Security Rulemaking in progress Lessons learned from power reactor implementation Non-Power Reactors Best Practices Guidance Non-Production Utilization Facilities Under evaluation by the NRC staff Independent Spent Fuel Storage Installations No cyber requirement, may re-evaluate in the future Nuclear Materials Decommissioning Cyber Security is included in the decommissioning rulemaking 10

11 Questions 11

12 10 CFR 73.54 Requirements Identify Critical Digital Assets (CDAs).
Apply & Maintain a Defense-in-Depth Protective Strategy. Address Security Controls for each CDA. Identify, Respond and Mitigate against cyber attacks. Training commensurate with roles and responsibilities to facility personnel. Review/Maintain the CSP as a component of the Physical Security Plan. Retain records and supporting technical documentation. 08/29/17 12

Download ppt "NRC Cyber Security Regulatory Overview"

Similar presentations

Checking & Corrective Action

Checking & Corrective Action
Michael Thow Cyber Security Engineering Supervisor

Michael Thow Cyber Security Engineering Supervisor
INPO Update CMBG Meeting June 2013

INPO Update CMBG Meeting June 2013
Vermont Yankee Presentation to VSNAP 7/17/13 VY/Entergy Fukushima Response Update Bernard Buteau.

Vermont Yankee Presentation to VSNAP 7/17/13 VY/Entergy Fukushima Response Update Bernard Buteau.
IAEA International Atomic Energy Agency. IAEA Outline Learning objectives Introduction Functions of Regulatory Body (RB) on EPR Appraisal guidance: Part.

IAEA International Atomic Energy Agency. IAEA Outline Learning objectives Introduction Functions of Regulatory Body (RB) on EPR Appraisal guidance: Part.
An Insider’s Perspective on the NRC’s New Cyber Security Rule and Forthcoming Regulatory Guidance: Potential Impacts on Meteorology and Emergency Preparedness.

An Insider’s Perspective on the NRC’s New Cyber Security Rule and Forthcoming Regulatory Guidance: Potential Impacts on Meteorology and Emergency Preparedness.
Cyber Security Plan Implementation Presentation to CMBG Glen Frix, Duke Energy June 20, 2010 1.

Cyber Security Plan Implementation Presentation to CMBG Glen Frix, Duke Energy June 20,
NRC Cyber Security Regulatory Program Development Background ANSI Nuclear Energy Standards Coordination Collaborative (NESCC) Meeting November 3, 2014November.

NRC Cyber Security Regulatory Program Development Background ANSI Nuclear Energy Standards Coordination Collaborative (NESCC) Meeting November 3, 2014November.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Lindy Hughes Fleet Fire Protection Program Engineer Southern Nuclear Operating Company June 4, 2013 Fire Protection.

Lindy Hughes Fleet Fire Protection Program Engineer Southern Nuclear Operating Company June 4, 2013 Fire Protection.
Security Controls – What Works

Security Controls – What Works
1 10 CFR Part 26 Subpart I Managing Fatigue Kamishan Martin Human Factors Engineering June 23, 2010 HPRCT conference.

1 10 CFR Part 26 Subpart I Managing Fatigue Kamishan Martin Human Factors Engineering June 23, 2010 HPRCT conference.
Main Requirements on Different Stages of the Licensing Process for New Nuclear Facilities Module 4.7 Commissioning Geoff Vaughan University of Central.

Main Requirements on Different Stages of the Licensing Process for New Nuclear Facilities Module 4.7 Commissioning Geoff Vaughan University of Central.
Session 6: Data Integrity and Inspection of e-Clinical Computerized Systems May 15, 2011 | Beijing, China Kim Nitahara Principal Consultant and CEO META.

Session 6: Data Integrity and Inspection of e-Clinical Computerized Systems May 15, 2011 | Beijing, China Kim Nitahara Principal Consultant and CEO META.
Federal Aviation Administration Oversight of Contract Maintenance Presented to: U.S./ Europe International Aviation Safety Conference By: Dan Bachelder,

Federal Aviation Administration Oversight of Contract Maintenance Presented to: U.S./ Europe International Aviation Safety Conference By: Dan Bachelder,
Nuclear Power Plant “Bright-Line” NERC:. Tim Roxey and Jim Hughes NRC:

Nuclear Power Plant “Bright-Line” NERC:. Tim Roxey and Jim Hughes NRC:
NEI Issues & Current Events George Oliver June 22, 2009 19th Annual RETS – REMP Workshop South Bend, Indiana.

NEI Issues & Current Events George Oliver June 22, th Annual RETS – REMP Workshop South Bend, Indiana.
A Proposed Risk Management Regulatory Framework Commissioner George Apostolakis Presented at the Organization of Agreement States 2012 Annual Meeting Milwaukee,

A Proposed Risk Management Regulatory Framework Commissioner George Apostolakis Presented at the Organization of Agreement States 2012 Annual Meeting Milwaukee,
Fatigue Management Rule Russell Smith Nuclear Energy Institute (NEI)

Fatigue Management Rule Russell Smith Nuclear Energy Institute (NEI)
IRSN STRATEGY TO ASSESS A NEW MAINTENANCE POLICY 27.09.2010 / Nesebar, Bulgaria Presented by Naoëlle MATAHRI, IRSN.

IRSN STRATEGY TO ASSESS A NEW MAINTENANCE POLICY / Nesebar, Bulgaria Presented by Naoëlle MATAHRI, IRSN.

Similar presentations

Ads by Google