nuclear power plant bright line nerc tim roxey and jim hughes nrc perry pederson and ralph costello l.
Skip this Video
Loading SlideShow in 5 Seconds..
Nuclear Power Plant “Bright-Line” NERC: Tim Roxey and Jim Hughes NRC: Perry Pederson and Ralph Costello PowerPoint Presentation
Download Presentation
Nuclear Power Plant “Bright-Line” NERC: Tim Roxey and Jim Hughes NRC: Perry Pederson and Ralph Costello

Loading in 2 Seconds...

play fullscreen
1 / 29

Nuclear Power Plant “Bright-Line” NERC: Tim Roxey and Jim Hughes NRC: Perry Pederson and Ralph Costello - PowerPoint PPT Presentation

  • Uploaded on

Nuclear Power Plant “Bright-Line” NERC: Tim Roxey and Jim Hughes NRC: Perry Pederson and Ralph Costello Charlotte, NC April 22, 2010 Phoenix, AZ April 26, 2010 Philadelphia, PA May 4, 2010 Chicago, IL May 6, 2010 Workshop Topics Bright-Line Requirement Cyber Security at NRC

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

Nuclear Power Plant “Bright-Line” NERC: Tim Roxey and Jim Hughes NRC: Perry Pederson and Ralph Costello

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
nuclear power plant bright line nerc tim roxey and jim hughes nrc perry pederson and ralph costello

Nuclear Power Plant “Bright-Line”NERC: Tim Roxey and Jim HughesNRC: Perry Pederson and Ralph Costello

Charlotte, NC April 22, 2010

Phoenix, AZ April 26, 2010

Philadelphia, PA May 4, 2010

Chicago, IL May 6, 2010

workshop topics
Workshop Topics
  • Bright-Line Requirement
  • Cyber Security at NRC
  • Bright-Line Process
  • NRC’s Position Relative to the MOU
  • Bright-Line Survey
  • NERC Point of Contacts
  • Q & A – Please hold questions and comments to the end of the presentation
bright line requirement
“Bright-Line” Requirement
  • Establish the FERC and NRC jurisdictional delineation of Nuclear Power Plant (NPP) Systems Structures and Components (SSC) through the creation of an exemption process for excluding certain SSCs from the scope of applicable NERC Standards as provided in FERC Order No. 706-B


cyber security at nrc

Cyber Security at NRC

NRC/NERC Bright-Line Workshop

Perry Pederson

NSIR Security Specialist (Cyber)

  • 10 CFR 73.54
  • Regulatory Guide 5.71
10 cfr 73 54
10 CFR 73.54
  • High-level, Performance-Based, Programmatic
    • FOCUS: Prevention of Radiological Sabotage
    • Generic (i.e., not reactor-specific)
    • Consistent with physical security regulatory approach
  • Basic Requirements
    • Systems that must be protected
    • Defense-in-Depth protective strategy
    • Application of security controls
    • Implementation details maintained on site
    • Submit Cyber Security Plans to NRC for approval
  • Cyber Security Plans
    • Site-specific processes and criteria
rg 5 71 overview
RG 5.71 Overview


Jan 2010

  • Components
    • Main Body
    • Appendix A (generic cyber security plan template)
    • Appendix B (technical security controls)
    • Appendix C (operational/management security controls)
  • Performance-Based, Programmatic
    • Consistent with NIST recommendations
    • Flexible and minimally prescriptive with burden on licensees to establish effective programs
  • Alignment with Digital I&C Interim Staff Guidance
    • ISG-1
    • ISG-4
    • RG 1.152
rg 5 71 guideline
RG 5.71 Guideline

Form Cyber Security Team

Identify Critical Digital Assets

Apply Defensive Architecture

Address Security Controls

  • Address each control for each CDA
  • Or, apply alternative measures
  • Or, explain why a control is N/A
cyber controls npp a total view
Cyber Controls – NPP a Total View
  • Security Controls to address
  • - 10 CFR 73.1 (Design Basis Threat)
  • 10 CFR 73.54 (Cyber Security)
  • Performance Objective:



Bulk Power Reliability Controls:

Section 215 of the Federal Power Act

18 CFR Conservation of Power and Water Resources

Regulatory Basis:

Grid Reliability

NERC Governance:

Rules of Procedures section 400 “Compliance Enforcement Program”

  • Title 10 Scope:
  • Systems that support
  • Safety functions
  • Security functions
  • Emergency Response functions
  • Support Systems that could adversely impact one of the above functions
  • FPA Section 215 Scope:
  • Balance-of-Plant “Support Systems” that do not adversely impact:
  • Safety functions
  • Security functions
  • Emergency Response functions

Fully compliant

Title 10


FPA Section 215

NOTE: It should be noted that there will be some SSCs that will not be impacted by either NRC or NERC requirements.

Fully compliant

Title 10


FERC Order 706/706B:

Identify those SSCs that are exempted from NERC jurisdiction and thereby MAY not be subject to applicable CIP standards

Individual licensee Cyber Security Plan submitted (10 CFR 73.54)

Individual COL Applicant submitted (10 CFR Part 52)

NERC CIP 002 - 009

bright line history
Bright-Line History
  • January 18, 2008: FERC issued Order No. 706 adopting CIP-002 – 009 standards
    • CIP-002 - 009 Standards exempt facilities regulated by the NRC
  • March 19, 2009: FERC issued Order No. 706-B, certain balance of plant (BOP) SSCs are subject to compliance with NERC CIP Reliability Standards
    • No “dual regulation” i.e., Bright-Line
  • September 14, 2009: NERC’s NPP CIP Implementation Plan for each NPP, by requirement, filed to FERC
    • R = FERC Effective Date,
    • S = Scope of Systems Determination and,
    • RO = Next Refueling Outage beyond 18 months (R+6)
bright line history cont d
Bright-Line History (Cont’d)
  • December 17, 2009: FERC Order directing NERC to present a process on how SSCs are exempted from NERC Reliability Standards by January 19, 2010 (Bright-Line)
  • December 30, 2009: Historic MOU executed between the NRC and NERC identifying their roles and responsibilities
  • January 19, 2010: NERC filing to FERC the details on the exemption process for NPP
    • Coordinated with the NRC to determine those SSCs subject to NERC jurisdiction and those SSCs subject to NRC jurisdiction – Generic List
  • March 18, 2010: FERC Order approving NERC’s Bright-Line & Implementation plan (R = March 18, 2010)
confidential information
Confidential Information
  • NERC’s Handling of Confidential Information
  • The information provided by the NPPs to NERC will be handled in accordance with the NERC Rules of Procedure (RoP) section 1500 “Confidential Information” if that information is so designated by the NPP
  • NERC and regional staff that review information that is SGI will be Safeguard Authorized per 10 CFR §73.21 & §73.22
  • NERC will establish “Reviewing Officials” for SGI per the MOU
collection of information
Collection of Information
  • NERC Authority to Collect Bright-Line Information
  • ▪ Section 215 of the Federal Power Act (16 U.S.C. §824o):
    • Established NERC as the ERO to enforce NERC Standards
  • ▪ Title 18 C.F.R §39.2(d) (FERC’s Regulations):
    • User, owner or operator of the bulk power system shall provide such information as is necessary to implement section 215 of the Federal Power Act to FERC/ERO/Region
  • ▪ NERC Rule of Procedure 400, Section 10.1:
    • Information Submittal - Each Regional Entity has the authority to collect the necessary information to determine compliance

North American Energy Reliability Corporation andNuclear Regulatory Commission Memorandum of UnderstandingRalph CostelloTeam Leader Office of Nuclear Security and Incident ResponseNuclear Regulatory Commission

nrc nerc mou
  • Cooperation –NERC’s disposition of exceptions
    • Brightline process

e.g. Safety and Important to safety systems,

Security systems, and Emergency Preparedness systems

e.g. Systems, structures, and components subject to FERC requirements

FERC Order 706B permits licensees to seek “exceptions” to compliance with

NERC CIPs for digital systems subject to both FERC and NRC regulations

nrc nerc mou cont
  • Share information relative to digital assets governed by the other party’s cyber security requirements
  • Coordinate to maximum extent on the process for conducting inspections
nrc nerc mou cont18
  • Sharing of all information necessary to carry out the intent of the MOU
  • Coordinate on all public announcements of enforcement actions relative to cyber security requirements and coordinate the resolution of issues involving enforcement actions
nrc nerc mou cont19

Memorandum of Understanding

workshop objectives
Workshop Objectives
  • Terminal Objective:
    • Identify the requirements to complete the NERC Bright-Line Survey
  • Enabling Objectives:
    • Identify where to find the Bright-Line documentation
    • Identify the critical attributes of the Bright-Line Survey
bright line documentation
Bright-Line Documentation
  • Provided on the NERC Web site:
    • FERC Orders
    • Presentation Materials
    • Bright-Line Survey
bright line survey overview
Bright-Line Survey Overview
  • Introduction & Scope
  • Due Date and Contact Data
  • Survey Items 1 and 2
  • Company Information and Approval
  • Generic SSC lists
    • Attachment I (SSCs under NERC Jurisdiction)
    • Attachment II (SSCs Excluded from Attachment I)
bright line survey
Bright-Line Survey
  • Survey Item 1
  • Does Attachment I include all SSCs in your power plant that could impact reliable delivery of electricity to the Bulk Power System or manage critical energy infrastructure information?
    • Exclude those SSCs in Attachment II
bright line survey25
Bright-Line Survey
  • Survey Item 2
    • If the answer to Survey Item 1 is “No” please revise the list to add to or remove SSCs from Attachment I
      • All changes to Attachment I must be accompanied with the basis for those changes
next steps
Next Steps
  • Special Registration for NPPs
  • Surveys will be e-mailed to each CC/NPP on or before June 25, 2010
  • Surveys shall be completed by NPPs and returned to NERC on or before July 23, 2010
  • NERC to review and approve, with NRC coordination, the completed Bright-Line surveys on or before October 15, 2010

“S” Date

important takeaways
Important Takeaways
  • Do not provide information such as IP Addresses, and asset/network vulnerabilities
  • Recommended that System Engineering complete Survey Items 1&2
  • Need accurate subject matter expert point of contact data
  • The Bright-Line Attachment 1 is complete after NERC review (October 15, 2010)
nerc contact data
NERC Contact Data
  • E-mail completed survey to
    • Phone: 609-203-2288
  • Secondary contact:
    • Phone: 410-474-9240
  • Alternate contact:
    • Phone: 609-524-7073
  • If mailing completed survey:
      • North American Electric Reliability Corporationc/o Jim Hughes116-390 Village BoulevardPrinceton, New Jersey 08540-5721